By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
Objective: Given a scenario, implement secure mobile solutions. Topics: - mobile device management (MDM) - MicroSD hardware security module (HSM) - unified endpoint management (UEM) - mobile application management (MAM) - SEAndroid - rooting/jailbreaking - sideloading - bring your own device (BYOD) - corporate-owned, personally enabled (COPE) - choose your own device (CYOD) - virtual desktop infrastructure (VDI) Communication Methods Just about every technology magazine and article published mentions a new mobile device, operating system release, or service provider merger. We are just beginning to see the benefits of 5G (the fifth generation of cellular wireless standards) technology, which provides capabilities beyond 4G LTE mobile networks to accommodate real-time applications across billions of interconnected devices. A mobile device contains a full filesystem, applications, and data. Mobile devices need to be protected in a similar manner to regular computers. The composition of a mobile device is different than that of a regular computer, though, because it is an embedded device, so security is a bit more challenging. Mobile devices can communicate using several methods, including cellular, Bluetooth, Wi-Fi, and near-field communication. Cellular communications are the main mode that a mobile device uses to connect to a service provider network. A cellular network consists of the following components: - Cellular layout (towers) - Base station (which connects to the tower) - Mobile switching office (the centerpiece of the operation) - Public switched telephone network (PSTN) Today wireless providers transmit voice calls over this traditional circuit-switched network design, and subscribers use the newer IP-based 4G and 5G LTE networks to access the Internet and other data services.
Two cellular voice technologies are currently used: Code-Division Multiple Access (CDMA) and Global System for Mobile Communications (GSM). GSM is the dominant technology and is used in more than 100 countries, mostly in Asia and Europe. GSM devices use a subscriber identity module (SIM) to communicate with the provider network. CDMA, which relies on a soft handoff, allows for fewer dropped calls and provides a more secure underlying technology than GSM. Currently, AT&T and T-Mobile run on GSM networks, while Sprint and Verizon Wireless use CDMA. Long-Term Evolution (LTE) is used for faster data transfer and higher capacity. Different variations of LTE networks exist across carriers that use different frequencies. Sprint, T-Mobile, Verizon, and AT&T all have their own bands of LTE. For users who lack traditional landline or cellular coverage, satellite communication (SATCOM) is an option for mobile device use. SATCOM uses an artificial satellite for telecommunication that transmits radio signals. It can cover far more distance and wider areas than most other radio technologies. Because satellite phones do not rely on phone transmission lines or cellular towers, they function in remote locations. Most satellite phones have limited connectivity to the Internet, and data rates tend to be slow, but they come with GPS capabilities to indicate the user’s position in real time. Satellite phones generally require line-of-site with the sky to receive a signal for service. Dense structures such as buildings and mountains negatively affect the signal. The most common satellite phones are Inmarsat, Iridium, Globalstar, and Thuraya. Some satellite phones use SIM cards and others do not. For example, Globalstar does not use SIM cards, whereas Inmarsat and Iridium do. Mobile devices also communicate via wireless signals. The most common are Wi-Fi and Bluetooth. Mobile Wi-Fi connectivity basically works just like connecting your laptop to a wireless router for Internet access. Through the device’s Settings menu, you can access available Wi-Fi networks. Additional capabilities of Wi-Fi are described later in this guide. Mobile devices are equipped for Bluetooth, which is short-range wireless connectivity. A common cellular use for Bluetooth is listening to music. Users also can pair a cell phone with a car infotainment center so they can talk on the phone “hands free” while driving. In fact, drivers sometimes wear wireless headsets for the same purpose. Bluetooth uses a spread-spectrum, frequency-hopping, full-duplex signal. An antenna-equipped chip in each device that wants to communicate sends and receives signals at a specific frequency range defined for short-range communication. For Bluetooth devices to communicate, they pair with each other to form a personal area network (PAN), also known as a piconet. This process is done through discovery, with one device making itself discoverable by the other device. Bluetooth is a common mobile connectivity method because it has low power consumption requirements and a short-range signal. Near-field communication (NFC) is a set of standards for contactless communication between devices. NFC chips in mobile devices generate electromagnetic fields. This allows a device to communicate with other devices. Although NFC is considered contactless, in most practical uses, devices establish communication by being close or even touching. Contactless payment systems such as those in coffee shops, train stations, and some supermarkets allow payment through the phone’s NFC chip: The user simply holds the phone close to the payment terminal. The NFC standard has three modes of operation: - Peer-to-peer mode: Two mobile devices exchange data. - Read/write mode: An active device receives data from a passive device. - Card emulation: The device is used as a contactless credit card. Most users are familiar with NFC as a feature of their smartphone. The NFC technology makes tap-and-go services such as Apple Pay and Google Pay work. Many Android mobile devices natively support ANT+. ANT is a proprietary multicast wireless sensor technology developed by ANT Wireless. ANT technology enables you to view fitness and health monitoring data in real time on your mobile device. ANT is a wireless protocol for use over short distances that creates PANs and is similar to Bluetooth. For example, the ANT+ heart rate belt has the capability to communicate with Garmin sports watches. The main difference between ANT and Bluetooth is that ANT tends to have a lower power consumption rate and is geared toward sensor usage. Another wireless mobile technology used for device communication over a short range is infrared (IR). IR transceivers are relatively inexpensive and provide short-range communication solutions. IR communication is most commonly used in mobile technology with IR cameras. IR technologies are quickly advancing, and soon smartphones might have IR cameras built in. The FLIR One is an example of an infrared camera attachment for a smartphone or tablet. Recent Apple patents and design rumors indicate that future iPhones could use infrared technology to provide sophisticated cameras or embed a fingerprint scanner that uses infrared emitters and sensors. In 2015, Peel Technologies was granted a patent for IR technology that allows users to control their TV through their cell phone. Many vendors, such as Fluke, have developed IR cameras for night vision recording that can be used with a handheld device. In addition, fire and police departments use IR for thermal sensing to find people in burning buildings and locate suspects at night or in heavily wooded areas. Another communication method mobile devices use is USB. USB communications allow a cell phone to be used for data or audio or a mass storage device. USB communication is commonly used to create a hotspot by connecting a laptop to a cell phone for Internet connectivity. Often this method is used for security reasons when Internet access is needed but only untrusted public Wi-Fi networks such as those in an airport, hotel, or coffee shop are available. USB connectivity also allows a mobile device to act as a modem, fax, or extension interface to plug in to other USB devices. In addition, the mobile USB port can be used for connecting to forensic acquisition devices when information needs to be gathered for an investigation. Mobile Device Management Concepts The commingling of personal and organizational data on mobile devices is inevitable unless some safeguards are in place, such as keeping sensitive data only on secure servers and accessing it remotely using secure communication techniques outlined in the security policy. Another option is to separate user data from organizational data on the device. This separation limits business risk associated with enterprise data on mobile devices by compartmentalizing the data. It leaves employees’ private information untouched and makes it possible to enforce policies and compliance at the application level. Device, Application, and Content Management Managing mobile device access and usage in an organization is a challenging endeavor. Businesses take various approaches to dealing with handheld devices, and each business has different needs. Because handheld technology moves at a much faster pace than computer technology, administrative nightmares can happen quickly. While mobile device and mobile operating system manufacturers include security capabilities, many third parties provide a host of management solutions to augment and extend the options, which is particularly important for organizations. Android, for example, uses Security-Enhanced Linux (SELinux) to enable SEAndroid, which provides access control over the running processes. Mobile management is necessary to protect organizational assets at various levels, including the device itself, applications, and content. This section discusses these three concepts. Mobile Device Management Mobile device management (MDM) and unified endpoint management (EUM) differ from mobile application management (MAM). MDM provides functionality and control over enterprise devices by allowing the enrollment of enterprise devices for management functions such as provisioning devices, tracking inventory, changing configurations, updating, managing applications, and enforcing policies. For example, VPN and passcode settings can be pushed out to users to save support a lot of time and effort. MAM focuses on application management. MDM solutions provide a more comprehensive level of device management, from managing applications and application data all the way down to device firmware and configuration settings. UEM expands on MDM by providing unified capabilities across MAM and MDM and also including content and threat management, identity and access management, and application containerization. Both iOS and Android isolate applications and sensitive operating system features using a method called sandboxing or containerization. Android uses the SEAndroid capabilities mentioned previously. Sandboxing is a security method that keeps running applications separate. Although this design reduces the threat surface, malware or spyware can still potentially be installed. The mobile threat landscape increases with ambiguous applications, such as those that require excessive privileges or that access sensitive data. Too often, users click through permission requests when installing an application, giving full access to information on the device. Other advanced features of mobile endpoint solutions are discussed next. Many of these capabilities, including the capabilities already discussed, are brought together under UEM solutions. In a corporate environment, applications can be managed by provisioning and controlling access to available mobile applications. This process is called mobile application management (MAM). Mobile Content Management One of the biggest security risks involves applications that share data across environments such as Dropbox, Box, Google Drive, OneDrive, and iCloud. Organizations should carefully consider what apps to allow on their production networks. When dealing with shared data, mobile content management (MCM) comes into play. MCM has several different definitions, but in the context of this discussion, it refers to access to content from mobile devices that are not managing content for a mobile-accessible website. An MCM system is used to control access to the file storage and sharing capabilities of services. These services can be cloud based, as with Office 365 and Box, or can function as middleware connecting the mobile device with existing data repositories. Many of these services are used for collaboration and better workflow by interfacing with other productivity applications. One such example is the capability for real-time coauthoring in Office Online through Box. With MCM, several layers of access exist—not only for the mobile user but also for the applications and services. An MCM solution must incorporate identity management, so it offers control over what data end users are able to access. Many MCM products provide enhanced security features by using secure storage containers to secure organizational data downloaded to a mobile device. Mobile Application Management In addition to device security, you need to consider mobile application security. The primary attack points on mobile devices are data storage, key stores, the application file system, application databases, caches, and configuration files. Recommendations for application security include restricting which applications may be installed through whitelisting, digitally signing applications to ensure that only applications from trusted entities are installed on the device, and distributing the organization’s applications from a dedicated mobile application store. Access controls rely on credentials to validate the identities of users, applications, and devices. Application credentials such as usernames and passwords are stored in databases on a device, and often the credentials are not encrypted. MDM solutions allow organizations to manage application credentials in ways that reduce the risk of compromised credentials, protect data more effectively, reduce operational costs, and improve efficiency. Security best practices require strong authentication credentials so that a device can be trusted both on the enterprise’s network and with access to enterprise applications. Passwords are one of the primary methods of acquiring access. For applications that require authentication, passwords need to be sufficiently long and complex. However, although using strong passwords reduces the overall risk of a security breach, strong passwords do not replace the need for other effective security controls. Using static passwords for authentication is a flawed security practice because passwords can be guessed, forgotten, or written down. Mobile phones that are capable of running Java applets are common, so a mobile phone can be used as an authentication token. Many vendors offer one-time passwords (OTPs) as an authentication solution for Java-capable mobile devices. An application might require an OTP for performing highly sensitive operations such as fund transfers. OTPs can be either Short Message Service (SMS) generated or device generated. Device-generated OTPs are better than SMS OTPs because they eliminate the sniffing and delivery time issues associated with SMS OTP. Managing mobile applications is a top security concern for organizations. Applications can be managed through whitelisting or blacklisting. The general concept behind application whitelisting differs from that of blacklisting. Instead of attempting to block malicious files and activity, as blacklisting does, application whitelisting permits only known good apps. When security is a concern, whitelisting applications is a better option because it allows organizations to maintain strict control over the apps employees are approved to use. Whitelisting of apps can be controlled through various MDM polices. One of the most effective techniques for managing a whitelist is to automatically trust certain publishers of software. Whitelisting increases administrative overhead but offers better control. In a highly secure environment, maintaining a whitelist also entails exerting strict device control, preventing pairing over USB, deploying only in-house enterprise apps, and removing user capability to install or delete apps. The concept of transitive trust for mobile devices is similar to identity federation but can cross boundaries of authentication domains at the application layer. Identity federation defines a set of technologies used to provide authentication (sign-in) services for applications. Transitive trust enables decentralized authentication through trusted agents. Application transitive trust and authentication can be used to improve the availability of service access but can also present security issues. When applications interact with each other, restricting one application can create an environment for data to still leave the mobile device through the other application. An application with only local permissions could then send sensitive data through third-party applications to external destinations. You might want to encrypt data from a mobile application for several reasons. Application data may be encrypted to make sure that files exported to shared storage, such as the device’s SD card, are not easily accessible to other applications. Some applications store sensitive data on mobile devices and require encryption. Application encryption can also be used to encrypt sensitive information stored by the app or to limit content accessibility to users who have the appropriate access key. Some encryption options for encrypting applications are to use MDM to allow the device itself to encrypt the data, thus enabling the application to provide its own encryption scheme, or to use an MDM application-wrapping technology that wraps system calls and automatically performs encryption and decryption on the application data. When data is encrypted, procedures for key management and key recovery must be in place. Encryption key management systems can be console-based software or hardware appliances. Key management is intended to provide a single point of management for keys and to enable users to both manage the life cycle of keys and store them securely. It also makes key distribution easier. Some mobile operating systems have built-in application key management features. In iOS, keychains provide storage for encryption keys and certificates. After an application requests access to a keychain, it can store and retrieve sensitive data. Android has a similar keychain capability. On a mobile device, extracting a key and decrypting data is easy when the key is stored either with the encrypted data or as a file private to the application, especially if the device is rooted. This weakness could give unauthorized applications access to sensitive information. To better protect the keys, one solution is not to store keys but to derive them from user-entered passwords. Protections The risk areas associated with mobile devices are physical risk (including theft or loss), unauthorized access risk, operating system or application risk, network risk, and mobile device data storage risk. To mitigate these risks, many of the same protections that apply to computers apply to mobile devices. Safeguards include screen locks, encryption, remote wiping, GPS tracking, and proper access. This section discusses these protections. Screen Locks, Passwords, and PINs All mobile phones offer a locking capability. When locking is turned on, the user must input a PIN/passcode or password to access the phone and applications. A screen lock prevents access to the device by requiring the user to input a PIN/passcode before gaining access to the device content. PINs/passcodes and pattern locks are a basic form of security and a first line of defense. They should be required on all devices that access corporate resources. The screen lock is similar to a password-protected screensaver on a computer. The lock code is usually a four-digit code or PIN. A pattern lock uses a pattern drawn on the screen instead of requiring a PIN/passcode. Android devices usually refer to this four-digit code as a PIN, whereas iOS devices refer to it as a passcode. A device should be configured to automatically lock the device screen after a brief period of inactivity. The number of times a user can attempt to input a password or code depends on the OS or corporate policy. For example, by default, the vendor might allow seven failed attempts before the device is locked. If the user fails to enter the correct passcode or password on the screen after seven attempts, the phone prompts the user to wait 30 seconds before trying again. For a reset, the user is required to provide the original email account name and password used to set up the phone. Corporate policies might be more restrictive and tend to lean more toward five failed attempts before the phone becomes locked. Biometrics and Context-Aware Authentication Biometric authentication methods have been a part of security practices for a while. Biometric authentication is based on some type of physical characteristic that is unique to an individual. Biometric methods embedded in mobile phones include fingerprint, face, iris, voice, and signature recognition. Most mobile devices today provide support for fingerprint or facial recognition. These are currently the most common biometric methods used in mobile devices. Biometric methods are not foolproof. Some fingerprint recognition technologies can be fooled by a copy of a person’s fingerprint, and facial recognition technologies can be defeated using a three-dimensional image of a user’s social media photo. Still, biometric authentication is more secure than weak passwords. The best approach to mobile device security is to combine biometric authentication with a strong password or PIN. A shift is taking place toward context-aware authentication for mobile devices. The idea behind context-aware authentication is to use machine learning to determine whether a user resource request is valid or whether the account was compromised. The access decision is based on what is considered learned normal behavior for the user. More technically, machine learning algorithms determine a confidence level regarding whether the access request is the real user and not a malicious actor. Context awareness is a preferred method for authentication because environments are fluid, and static methods do not have the capability to understand the context of a login attempt, calculate risk based on the context analysis, and change requirements appropriately. The risks associated with cloud computing and BYOD have made context-aware security a more viable approach. Context-aware authentication more effectively protects against fraudulent and unauthorized access attempts because it assesses risk for resources that the user accesses. An extension of context-aware authentication is Google’s Trust API, which uses proximity-based authentication on mobile devices. A trust score is calculated based on user-specific data points. Remote Wiping The data stored on a mobile device is worth a lot more than the device itself. Mobile devices carry a variety of personal and business information, and preventing them from getting into the wrong hands is critical. Many of today’s smartphones support a mobile kill switch or remote wiping capability. Remote wiping allows a handheld device’s data to be remotely deleted if the device is lost or stolen. All the major smartphone platforms have this capability. The most common ways to remotely wipe a device are using an application installed on the handset, working through an IT management console, and using a cloud-based service. Via remote administration, any BlackBerry Enterprise Server (BES) handset can be erased, reset to factory default settings, or set to retain its previous IT policy. This is done via the Erase Data and Disable Handheld command over the wireless network. By default, the device deletes all data after ten bad password attempts. Apple’s iPhone offers a service that enables users to locate lost devices via GPS and erase their data remotely. To enable remote wipe on enterprise Android phones, the phone must have the Google Apps Device Policy app installed. This is similar in functionality to the remote-control features for a BES. BlackBerry has extended its MDM capabilities to include Android and iOS within BES. Remote wipes are not fail-safe. If someone finds a phone before the remote wipe occurs and either takes the device off the network or force-reboots and restores the device, that person can recover sensitive data. In the case of BlackBerry devices, if the device is turned off or taken outside the coverage area, the remote wipe command is queued on the BES until the device can be contacted. If a user is removed from the BES before the command has reached the smartphone, data will not be erased from the device. In addition to enterprise or built-in remote wiping tools, third-party products can be used to remove sensitive information. Some products are good solutions for a particular device type, whereas others cover all three major mobile device types. Most solutions can securely wipe media cards, be configured to wipe data remotely from a device that has been lost or stolen, automatically wipe the device clean when there is an attempt to insert another SIM card, or disable the phone functionality. Several vendors offer services to Apple users that allow remote wiping on a lost or stolen iPhone. Other options can erase all data on the iPhone after a certain number of failed passcode attempts. iPhone since iOS 8 includes hardware encryption, and all data is encrypted on-the-fly. This means that, for newer iOS versions, you do not need to actually wipe the phone’s entire contents; remotely wiping the encryption key is enough. Geolocation, Geofencing, and Push Notifications If a mobile device is lost, you can use geolocation to track it. Geolocation uses Global Positioning System (GPS) tracking to find the location of a device. In addition, employers sometimes use this feature to locate employees based on their device location. GPS tracking features can be used on company-issued devices as a deterrent to prevent the unauthorized personal use of vehicles and the practice of taking unauthorized unscheduled breaks. GPS can also be used to deal with serious crimes. For example, GPS-enabled devices could help locate and recover a hijacked armored vehicle and possibly save the lives of the guards. The location of a mobile phone is tracked primarily through GPS. In addition, applications provide a host of services based on GPS. Usually each application can be controlled with regard to its use of GPS for location services. Some applications use General Packet Radio Service (GPRS) and allow the GPS coordinates to be downloaded in a variety of formats. This makes it easy to import the coordinates into mapping software or create archives. For example, BlackBerry’s push technology enables IT administrators to track devices through a web-based mapping platform, accessible from any computer or cell phone with an Internet connection. Applications such as Phone Tracker and Find My Device can reveal any geographic locations visited. Services also provide GPS tracking for devices. For example, the AccuTracking online GPS cell phone tracking service provides real-time device locations for a monthly service charge. Software is installed on the phone, a PC is used to add the device to the vendor’s web interface, the phone communicates with the server, and the device can be tracked through the vendor website. Apps such as Foursquare that are installed on devices take advantage of geolocation. These apps report device location to other app users so they can find nearby friends. Geofencing takes geolocation a step further and uses GPS coordinates or radio-frequency identification (RFID) to define a geographic perimeter. When a device enters or exits the perimeter, an alert or notification is sent. The Apple Find My Friends app allows geofence-based notifications to inform users when someone enters or leaves a designated area. Geofencing is commonly used to alert local businesses to users’ locations so they can use push advertising. Geofencing can be used on company-issued devices as a virtual time clock and can deter time theft. Various geofencing applications provide automated employee time tracking. Some also integrate with third-party solutions such as QuickBooks so that employee time sheets can go directly into an accounting system for payroll. With push technology, which began with BlackBerry, as soon as a device connects to the cellular network, new emails or updates can be automatically pushed to the device. When a mobile app is installed on a device today, a user can opt in to receive notifications whenever new content is available. A push notification is a brief message or alert that is sent through the installed application to the users who have opted in for notifications. Push notification services have three main components: - Operating system push notification service (OSPNS) - App publisher - Client app Push notification services are often used in conjunction with geolocation and geofencing. Advertisers target users according to location by setting up geofenced messages. As soon as the device enters the geofence, an advertisement is pushed to the user’s device. Most airline apps use push notifications to remind customers when to check in. Other businesses use geotargeting and assess user histories for push notifications. Push notifications have become popular in the business environment for internal communication as a way to engage employees and to notify them of important events or emergency situations. HR may use push notifications for onboarding, paperwork deadline reminders, recognition, training sessions, and benefits programs. Storage Segmentation and Containerization Malware and security risks such as data leakage have greatly increased in the past few years, putting at risk sensitive corporate information on user devices. Storage segmentation and containerization separate personal and business content on a device. Storage segmentation protects business content from security risks introduced by personal usage. Security and data protection policies are applied to a segmented business container on a personal or company-owned device. Segmentation and containerization are necessary when an organization has a BYOD environment. These approaches are used in conjunction with MAM as a way to apply policies to mobile devices. They provide an authenticated, encrypted area of the mobile device that can be used to separate sensitive corporate information from the user’s personal use of the device. Additional benefits of containerization are capabilities to do the following: - Isolate apps - Control app functions - Delete container information - Remotely wipe the device Applications provided by mobile technology vendors offer a security container that separates company and personal information. The enterprise container securely houses enterprise data and applications on the device, encrypting all data with strong Advanced Encryption Standard (AES) encryption. This solution also encrypts any data in transit between the device and servers behind the organization’s firewall. The downside to segmentation and containerization is that they are third-party solutions and tend to be costly if an organization lacks the infrastructure required. Secure containers also can limit the apps that employees can use, for compatibility issues, and some solutions do not provide adequate protection because they rely on device-level controls. This means that if a weak passcode is used and the device is compromised, the data is also compromised. Full Device Encryption (FDE) As with data on hard drives, data on mobile devices can be encrypted. However, this presents some challenges. For starters, entering complex passwords on small keyboards is difficult, and multifactor authentication is often infeasible. In addition, mobile devices have limited processing power, and the extra computation required for encryption could cause them to suffer performance issues. The always-on nature of these devices also means that encryption can easily break functionality. Another consideration is that because of the variety of devices, a company might have to implement multiple encryption methods. For example, BlackBerry Enterprise Server can be used to manage built-in data encryption, and Android mobile devices can use a third-party encryption solution. Mobile voice encryption can allow executives and employees to discuss sensitive information without having to travel to secure company locations. A number of options are available for voice encryption. Vendors make microSD hardware security module (HSM) flash cards that fit into certain mobile devices. The software is installed on the phone when the card is first inserted into a device. This makes it possible to provide hardware-based authentication and cryptographic operations from the tiny slot in a mobile device. Another hardware option is embedded encryption, which is offered in some solutions and consists of three main components: - Embedded encryption software on the chip - Linux-based management server - TrustChip software development kit (SDK) Third-party software applications can provide secure VoIP communication for iPhone and Android devices by using 256-bit AES military-grade encryption to encrypt calls between users. For added security, strong RSA encryption can be used during the symmetric key exchange. This type of application can provide VoIP connectivity for secure calls over several networks, including cellular and Wi-Fi. When using voice encryption software, keep in mind that it must be installed on each mobile phone to create a secure connection. You cannot create a secure encrypted connection between a device that has software installed and one that does not. The same is true for hardware solutions. For example, an application encrypts voice only when the phone calls another phone using the same application. The user sees an icon on the display indicating that the call is encrypted. As with many other solutions, using voice encryption is not an end-all solution. Many commercially available mobile voice encryption products can be intercepted and compromised using a little ingenuity and creativity. Some applications can be compromised in as little as a few minutes. Enterprise-level encryption solutions are also available for various devices. For example, security vendors provide device protection on iOS and Android mobile devices. With such products, it is possible to secure mobile devices by centrally configuring security settings and enabling lockdown of unwanted features; furthermore, these products offer remote over-the-air locking or wiping features that can be used when a device is lost or stolen, and they have self-service portals that allow end users to register new devices and either lock or wipe lost or stolen phones. Enforcement and Monitoring Both enterprise administrators and users need to be aware of the growing risks associated with the convenience of having the Internet and the corporate network data in the palm of your hand. The most effective way to secure restricted data is not to store it on mobile devices. Of course, this is easier said than done. MDM provides functionality and control over enterprise devices by allowing an organization to manage, secure, and monitor employee devices. MDM is one part of an overall enterprise mobility management (EMM) approach. EMM typically includes MDM, MAM, and identity management. This section covers these additional tools and technologies for mobile device enforcement and monitoring. EMM allows an organization to perform advanced management of devices, including the following functions: - Restricting changes to mobile network, Wi-Fi, or VPN access - Controlling USB transfers, as well as transfers to external media - Restricting users from sharing their locations in an app - Preventing users from resetting devices by using a factory reset Jailbreaking and Rooting Jailbreaking and rooting are similar in that they alter the device capability. However, they have different functionality and apply to different mobile operating systems. Jailbreaking is associated with Apple devices. Rooting is associated with Android devices. Apple controls iOS apps by using a private key for app authorization to protect devices from the risks associated with questionable apps. Users often want to run apps that they feel are safe but that Apple has not authorized. To run these apps, an iOS device must be jailbroken. Essentially, jailbreaking removes the restriction that the device must run only Apple-authorized apps. Jailbreaking is done by installing a custom kernel that allows root access to the device through an application such as RedSn0w, which then uses a package manager such as Cydia to allow unauthorized application installation. Jailbreaking can be classified as either tethered or untethered. In tethered jailbreaking, the user must start the device from a software installation on a computer. In untethered jailbreaking, the device does not need to be connected to a computer in order to start; the device is altered so that it can start on its own. With an Android device, if a user wants to run apps that are not available on the Google Play Store, the choices are either rooting the device or sideloading the app (as discussed in the next section). Rooting allows complete access to the device. Root-level access allows a user to configure the device to run unauthorized apps and set different permissions by circumventing Android’s security architecture. Rooted or jailbroken devices pose a risk to organizational data. In a BYOD environment, the organization might not know if or when users jailbreak or root devices. To mitigate this vulnerability, most EMM solutions have the capability to detect jailbroken and rooted devices. Detection is done by identifying indicators such as the existence of Cydia on iOS devices or having an alert sent when an app invokes the superuser APK in Android systems. The device is then marked as noncompliant and can be removed from the network or denied access to enterprise apps. The associated data authorized for the device can then be prohibited. Custom Firmware, Carrier Unlocking, and OTA Updates Technically, there is a difference between rooting or jailbreaking a device and loading custom firmware or unlocking a device. The most common scenario for installing custom firmware on a device is for forensic acquisition. Most forensic tools require a deep level of access to the device, and the acquisition process can sometimes involve the installation of custom firmware. Users might want to load custom firmware on their devices so that they can use a different language, switch from the manufacturer-induced skin to a different look, or get rid of the unnecessary applications that are installed by default so they can free up space on the device. Installing custom ROM requires using a custom bootloader and a custom recovery manager. Root access is not necessarily required. Alternatively, the Replicant OS, a free Android distribution, can give users the flexibility they are looking for in custom firmware. Carrier unlocking is the process by which users modify a device so that they do not have to use the original carrier or service provider. Carrier unlocking is done mainly because most service providers require two-year contracts with customers. Many consumers complained about this practice. In 2014, President Obama signed the Unlocking Consumer Choice and Wireless Competition Act, which makes it legal for consumers to unlock their phones. Unlocking allows users to select any wireless provider they choose without having to purchase a new device. When a device is unlocked, it can only use a service provider whose technology is compatible with the device hardware. For example, an original Verizon device using CMDA technology cannot necessarily be activated on an AT&T GSM network because the device might not have the required SIM slot. Most U.S. carriers unlock a device upon request, as long as the contract is fully paid, so an organization might not be aware of changes, especially in a BYOD environment. EMM solutions allow the organization to look at device monitoring and usage thresholds that indicate a carrier switch. When an organization is reimbursing employees for associated costs, the organization can help the employee choose an appropriate option when switching carrier plans, as long as it is done legally instead of through jailbreaking or rooting the device. Mobile devices have the capability to receive and install over-the-air (OTA) systems and application updates that are pushed over Wi-Fi to the device. Device users are notified that an update is available so that they can either install or postpone the update. OTA firmware updates are done through the device’s recovery partition, which has the software required to unpack the update package and run it on the system. OTA updates can be managed through EMM. For example, with Android OS, a device policy controller (DPC) app can be deployed to mobile devices. This gives the organization control over when the OTA updates are installed through a local OTA policy. When the OTA policy is set, the updates are installed according to the policy settings, and users have no control over when the updates are installed; users also are not notified of updates. Third-Party App Stores and Sideloading Less invasive processes than rooting or jailbreaking a device are also available to users who want to install apps that are not authorized by their OS vendor. For example, users can download from third-party app stores such as Amazon, GetJar, AppBrain, and Appolicious. On Android devices, users can easily install third-party apps by changing the option in the device’s security settings, even though it is disabled by default. Third-party app stores are problematic for organizations because often the apps at these stores are not properly vetted. To prevent downloaded apps from third-party app stores, EMM solutions can be configured to not allow users to modify settings or to allow only whitelisted apps to be installed on the devices. Another option, albeit a more costly one, is for an organization to provide its own enterprise app store. The organization’s store can host IT-approved apps and allow only apps from the enterprise app store to be installed on devices. Sideloading is a process in which a user goes around the approved app marketplace and device settings to install unapproved apps. Before sideloading can be done on an Android device, users must enable the installation from unknown sources in the system security settings. Sideloading on an Android device can be done one of three ways: - Manual: Using a USB connection and a file manager application - Android Debug Bridge (adb): Using a command-line installation similar to Linux-based installs - AirDroid: Using a drag-and-drop application installer Sideloading on iOS devices can be done by using the Cydia Impactor tool. As with the installation of apps from third-party app stores, sideloading an app poses a risk to the organization because those apps have not been vetted and thus could introduce malicious software and compromise sensitive corporate data. The organizational protections are the same as for third-party apps. MAM configurations prevent the installation of apps from untrusted sources. EMM implementations can further lock down a device by applying policies that are capable of deleting apps and wiping a device. Storage and USB OTG Most mobile devices have an external media card used for storage. Most devices support USB Host Mode, also known as USB on-the-go (OTG). USB OTG is a standard that enables mobile devices to communicate with each other through a USB cable that users attach. Examples of USB and USB OTG functions include importing camera data from the device, copying files onto a USB drive, and attaching a full-size USB keyboard or mouse. To mitigate the vulnerability such a solution introduces, most EMM solutions can prevent users from accessing unauthorized sources such as USB storage or file-sharing sites. The data on a media card needs to be encrypted. Full device encryption is an added feature that enables users to secure sensitive information on a mobile device’s removable flash memory storage card. The data is accessible only when the card is installed in a particular mobile device. If the card is ever lost or stolen, the information remains secure because it is encrypted. Enforcement for Normal Device Functions Many organizations produce and store proprietary information. Because mobile devices can instantly share location, take pictures, text, and record video and audio, allowing these devices on a network poses security risks. Policies should cover the use of camera, video, texting, and audio recordings as they relate to the organizational work environment. Geotagging location services, based on GPS positions and coordinates, also present security risks. Geotagging allows location data to be attached to images, videos, SMS messages, and website postings, providing permanent and searchable data. Geotagging can be limited by turning off features in social network accounts, disabling location services, and selectively using location features. Security risks associated with geotagging include unwanted advertising, spying, stalking, and theft. Some social networking sites and services show the location of logged use. Texting and sending pictures via text (MMS) is a growing concern for most organizations. Excessive texting during work hours can interfere with employee productivity. Texting policies might be required in situations where personal information could be disclosed, such as health or financial services. The Final Omnibus Rule of March 2013 introduced a new HIPAA texting policy. The revisions apply not only to healthcare providers but also to third-party healthcare industry service providers and business associates. The HIPAA texting policy was written to address the risk associated with sending patient health information via SMS and placing patient health information on mobile devices. In environments where SMS/MMS communications contain sensitive information, encrypted messaging must be used to keep these communications secure and to comply with regulations. Employees should be made aware of policies on corporate texting and pictures sent via text (MMS). Rich Communication Services (RCS) is a protocol that has been in the works for many years and is currently used alongside SMS and MMS. RCS is slated to eventually replace both SMS and MMS. Unused features on mobile devices should be disabled. Depending on the organizational needs, disabling other features on devices might be advisable as well. For example, if an employee works with highly confidential or trade secret information, the organization might require that the camera and microphone on corporate devices be disabled. A comprehensive mobile policy should clearly state restrictions on the use of cameras, video, audio, or location sharing and other applications and services. Employees might be trustworthy, but if an employee’s device contains organizational information and is lost or stolen, proprietary information might be compromised. In high-security areas, employees might have to surrender their mobile devices. In other situations, settings can be disabled or controlled through EMM implementations. Wi-Fi Methods, Tethering, and Payments Wi-Fi has been a mobile communication method for a while. A mobile device can use two different Wi-Fi methods to connect to another device: direct and ad hoc. Both allow multiple devices to directly connect without the use of a wireless access point. The Wi-Fi Direct standard enables quick connections with effortless setup through peer-to-peer wireless networking. When Wi-Fi Direct is used, one device acts as a wireless access point, and other devices connect to it. The device acting as the access point is called the Group Owner (GO). Other devices connect to it as clients in station mode. Devices discover each other the same way a device finds a wireless network. Connected devices are not limited to Wi-Fi Direct, so devices that are not Wi-Fi Direct enabled can connect as well. Wi-Fi Direct uses the Wi-Fi Protected Setup (WPS) protocol to exchange credentials, which means users do not need to know a shared password. To connect, a user only needs to enter a PIN code or push a device button. Wi-Fi Direct can be used to perform tasks such as printing to a wireless printer, transferring photos between devices, or sending files to a computer. Wi-Fi Direct is meant for easily connecting a small number of devices for a short period of time. Wi-Fi Direct device connections can happen anywhere and anytime and do not require access to a Wi-Fi network. However, the use of WPS is a major security concern because it has been proven insecure. The Wi-Fi Direct Alliance recommends that, Wi-Fi Direct device connections be protected by WPA3 instead of WPS. A mobile ad hoc network (MANET) is part of the IEEE 802.11 standard called Independent Basic Service Set (IBSS). No hierarchy governs IBSS devices, and all the devices are called nodes. IBSS nodes regularly send beacons to announce the existence of the network. IBSS networks have no security requirement, and security can range from no encryption to a supported Wi-Fi encryption protocol. The concept of MANET is simple, but because many configuration options are available, inexperienced users tend to find it hard to use. MANET is most often used by the military and emergency services. It can also be used by education institutions for classrooms and labs. Depending on the manufacturer of an organization’s WLAN equipment, organizational policy might control the capability to use Wi-Fi Direct. For example, Cisco Wireless LAN controllers can be used to configure the Wi-Fi Direct Client Policy to disallow this type of connection or to allow the connection but not allow the setup of a peer-to-peer connection. In Windows networks, MANET can be controlled through group policy. Tethering involves sharing a device’s Internet connection with other devices through Wi-Fi, Bluetooth, or a USB cable. This technique basically allows a device to act as a modem. Tethering is used when no other method exists for connecting to the Internet. Tethering can be especially useful when traveling, but it has some downsides: Speed can be slow, the battery of the tethering device drains more quickly, and, depending on the carrier, additional data charges might apply. Organizational policy on tethering might differ from restrictions on mobile device use in general. Unsecured public Wi-Fi networks are not considered safe. An organization might prefer to absorb the extra cost and keep data more secure by sending it directly through an employee’s tethered mobile device. When this is the case, the additional cost must be monitored, especially when employees travel overseas. EMM solutions can help monitor costs associated with tethering and provide flexible tethering controls. Users can also use mobile devices to make payments for meals and other expenses and to transfer money. Mobile payments can be made in several ways, including with mobile wallets, contactless payments, carrier billing, and card payments. Mobile payments generally fall into several categories: - Daily transactions: Most often associated with a mobile wallet - Point-of-sale (POS) payments: Goods and services vendors - Carrier payments: Billed directly through the carrier, most often associated with charitable donations via text - Mobile card reader: Often associated with small businesses that accept credit card payment via a tablet Each type of payment has apps used for the payment processing. For example, POS systems often support Apple Pay, Samsung Pay, and Android Pay. The NFC reader in the POS terminal takes care of the payment details after a user merely holds a device near the POS. When organizations issue employees company credit cards and want to mitigate vulnerabilities associated with mobile payment systems, MDM or EMM systems can disable the services or apps associated with mobile payment systems. Deployment Models Employees are increasingly using personal devices for critical job functions, and organizations are therefore seeking better control over mobile devices and to implement solutions such as MDM and MAM. MDM, secure access to data, and application control all require a holistic security approach. Human factors combined with role-based management can help protect an organization against data loss and threats, as well as ensure that the organization is meeting compliance requirements. This section discusses the current mobile deployment models and considerations. BYOD, CYOD, COPE, and Corporate-Owned Devices Bring your own device (BYOD) focuses on reducing corporate costs and increasing productivity by allowing employees, partners, and guests to connect to the corporate network for access to resources. BYOD gives employees freedom to choose the device, applications, and services that best meet their needs. When employees can use their own personal devices, productivity usually increases. From a management perspective, BYOD has increased administrative overhead because many different devices are in use, and the organization has no control over the software or applications users have installed. Employers sometimes offer reimbursement for business use of a personal device. In some states, the reimbursement is required by law. For example, California Labor Code Section 2802 states that employers are required to reimburse employees for necessary expenses, including all reasonable costs. This translates to reimbursement for the percentage of the cost associated with business calls. In choose your own device (CYOD), the organization controls which devices an employee can choose by providing a list of approved options. CYOD is more restrictive than BYOD and gives the organization greater control over which devices are allowed on the network. In most implementations of CYOD, the organization purchases an employee’s device and pays the data usage costs. Device ownership thus rests with the organization, and employees must surrender their devices when they leave or are terminated. This method of managing user devices can reduce the hardware and management costs related to corporate-owned devices, but it cannot completely eliminate them. With corporate-owned devices, organizations issue employees devices they can use. In this model, which is sometimes called use what you are told (UWYT), the mobile devices available for use are predetermined. Users are issued devices based on corporate policy and, often, their roles in the organization. Corporate-owned devices provide a clear separation between employees’ personal and business lives. This is often inconvenient for users because they are required to carry two mobile devices, one for each function. Corporate-owned, personally enabled (COPE), or company-issued business only (COBO), is similar in principle to corporate-owned devices but allows personal use of the device. With COPE, the devices are the organization’s responsibility, so monitoring policies must be in place, and devices must be kept up to date. As with corporate-owned devices, this deployment model enables the organization to disconnect a device from the network in the event of a compromise or malware infection. Financial institutions and healthcare providers tend to choose COPE to meet regulatory compliance requirements. Because the organization has to supply, update, and monitor devices, the cost of this implementation method is much higher than the costs of BYOD or CYOD; COPE is generally not cost-effective for small businesses. Virtual Desktop Infrastructure Virtual desktop infrastructure (VDI) is a technology by which an organization hosts virtual desktops on a centralized server. Generally, employees use a client app to securely connect to the virtual infrastructure that hosts a user’s desktop. VDI allows the organization to securely publish personalized desktops for each user through a managed infrastructure. Organizations are extending their VDI to mobile devices, in an implementation model referred to as virtual mobile infrastructure (VMI) or mobile VDI. With this technology, instead of using a hosted desktop, the user receives a hosted mobile device OS. There are two different methods for setting up a client to access mobile VDI: - Client-based mobile VDI: A mobile VDI client must be installed on each mobile device. - Browser-based mobile VDI: A web browser is used to access a mobile VDI client.
Mobile VDI is especially useful in BYOD environments because it provides access to both organizational and personal data without the inherent risk of commingled data. Security for EMM and BYOD is already built in to mobile VDI because data and applications are stored on the organization’s infrastructure, there is little to no data transfer to the mobile device, and users might have no need for client software on the mobile device. This can reduce the risk associated with lost devices and the need for remote wiping on those lost devices. However, if a mobile VDI experiences an infrastructure failure, users are not able to access resources. Deployment Strategies Implementing a mobile deployment program and associated policies requires consideration of general technical aspects, financial responsibility, technical support, and corporate liability. BYOD, CYOD, and COPE deployments vary among organizations. Formulating a BYOD, COPE, or CYOD program requires a security model that provides differentiated levels of access by device, user, application, and location. Cost is one of the primary differences between BYOD, CYOD, and COPE deployments. For COPE and CYOD, all costs reside with the organization; BYOD users pay their own device costs but might receive reimbursement for associated business costs. In addition to the cost, organizations must address some overall challenges related to securing sensitive data in any deployment method in order to protect organizational resources. Architecture/Infrastructure Considerations Implementing a BYOD, CYOD, or COPE program requires planning and understanding the access methods and device management options for the devices. In addition to looking at the 802.11 infrastructure, organizations should consider bandwidth, network saturation, and scalability. Devices might need to be manually provisioned, but the design architecture usually includes some type of MDM solution so that security, management of mobile endpoints, self-service for enterprise applications, and onboarding can be more easily managed. Most MDM solutions offer management capabilities through virtualization architecture, identity-based access and provisioning, device identification, authentication, authorization, single sign-on, and policy enforcement. When choosing a centralized MDM strategy, an organization can use a solution offered by a mobile device vendor or use a product from a third party. Both approaches are similar and use a typical client/server architecture. Adherence to Corporate Policies and Acceptable Use Many organizations use a self-service method through a preconfigured profile to minimize IT intervention. This method offers a simplified way to identify domain user groups that are permitted to onboard their devices. When an employee is terminated, retires, or quits, segregating and retrieving organizational data and applications might be difficult. The BYOD, CYOD, or COPE policy should address how data and corporate-owned applications will be retrieved in such a situation. In some instances, the organization might opt for a total device wipe. When implementing a BYOD, CYOD, or COPE policy, employees need to be made aware of, understand, and accept this policy as it relates to the organization’s other policies. Many organizations stipulate that they have the right to wipe a device at any time and will not assume responsibility for any loss of data if a device is wiped. Some organizations require employees to install software that provides additional security. Corporate policies might ban rooted or jailbroken devices, and they might prohibit the use of file-sharing sites such as Dropbox, Google Drive, OneDrive, or iCloud. Users who are part of a BYOD, CYOD, or COPE program are expected to adhere to all corporate policies. In a BYOD, CYOD, or COPE environment, an organization might choose to have a personal device use policy in addition to the organizational acceptable use policy. A personal device use policy defines responsibilities, guidelines, and terms of use for employee-owned devices accessing the organizational network. Often a personal device use policy is created to address expense limitations as well as access to the Internet, applications, and peer-to-peer file sharing for personal purposes instead of corporate purposes. Employee consent or user acceptance of a BYOD, CYOD, or COPE policy helps protect an organization in the event that security measures such as seizing a device and deleting all device data need to be implemented. Signed agreements should be kept on file in case the organization needs to take future action that pertains to a device. An organization should ensure that employees provide written consent to all terms and conditions of the BYOD, CYOD, or COPE policy so that it can easily refute any claim of policy unawareness. Legal Concerns Legal concerns for implementing a BYOD, CYOD, or COPE program and related policies include whether the policies will be enforceable, whether data privacy laws will restrict security controls and required user consent, whether laws and regulations could limit the ability to audit and monitor activity on personally owned devices, and consent to access the device for business purposes. Furthermore, some legal ramifications relate to determining the liability of the organization for application usage, licensing, removing sensitive data and organizational applications, and wiping data from a personal device. All legal concerns should be addressed prior to program implementation. Privacy Data privacy is a concern—for both individuals and the organization—when employees bring their own devices to the corporate network. This is especially important in organizations that are bound by legal requirements regarding the storage of private personal information, such as in the medical and financial industries. Privacy concerns should be addressed in BYOD, CYOD, or COPE policies. A BYOD, CYOD, or COPE policy might need to contain language prohibiting or limiting remote access for certain categories of sensitive data. Employees should be notified of the organization’s monitoring and personal data access capabilities. The BYOD, CYOD, or COPE policy should clearly disclose how the organization will access an employee’s personal data. If the organization offers device data backup, the policy should also state whether personal data will be stored on backup media. An organizational BYOD, CYOD, or COPE policy may clearly indicate that the organization does not guarantee employee privacy when an employee chooses to be part of the BYOD, CYOD, or COPE workforce. Data Ownership and Support Data ownership on an employee-owned device used on a corporate network becomes tricky because of the combination of corporate data and personal data. Many organizations approach this issue by using either containerization or MDM solutions. When formulating a BYOD, CYOD, or COPE policy, an organization should clearly state who owns the data stored on the device and specifically address what data belongs to the organization. The policy should include language stipulating that the organization will remotely wipe data if the employee violates the BYOD, CYOD, or COPE policy; terminates employment; or purchases a new device. Some organizations also reiterate user responsibility for backing up any personal data stored on the device. Many organizations save IT support costs by implementing BYOD programs, which reduce their device support obligations. Support time is minimal and mostly limited to helping employees initially get the devices up and running on the network. Most BYOD policies state that employees are responsible for voice and data plan billing and for maintenance of their devices. CYOD and COPE policies, on the other hand, establish what types of devices are permitted to access the network and what support is provided. Patch and Antivirus Management When corporate data resides on a personal device, it faces risk from viruses, malware, and OS-related vulnerabilities. In a BYOD environment, the organization sets minimum security requirements or mandates security as a condition for giving personal devices access to network resources. Policy should clearly state the requirements for installing updates, patches, and antivirus software. Policy options might include the approval of updates and patches or specific antivirus software, as well as mandatory reporting of any suspected instances of malware infection. In addition, a policy might include material on policy compliance, state that IT may push updates as required, and detail the responsibility for antivirus software costs. Forensics A key issue in BYOD, CYOD, and COPE is how to handle device data when an investigation is required. Any captured data will likely include an employee’s personal information along with corporate data. Although tools can be used to record WLAN data from capture points for forensics, many times a device itself requires imaging. Organizations can try to limit the scope of an investigation or perform data capture when a personal device is involved. However, prevailing litigation consequences for failing to preserve data might take precedence. Organizations need to ensure that proper BYOD, CYOD, and COPE incident response procedures are formulated and communicated to users. In a BYOD, CYOD, or COPE environment, legal requirements take precedence. In an investigation, employees might be temporarily unable to use their devices during the investigation period. Quiz:1. Which of the following enables the use of location services for applications on mobile devices? A. BYOD B. GPS C. MMS D. OTA2. As more users are using mobile devices for work, you have been tasked with supporting the compliance team by ensuring that policies can be enforced. You also need remote management capabilities of the devices. Which of the following solutions should you consider? A. GPS B. MDM C. OTP D. PIN3. Which of the following are deployment strategies for mobile devices? (Select three.) B. CYOD C. COPE D. BYOB4. What device security methods can be implemented to protect business content from security risks associated with personal usage? (Select two.) A. Jailbreaking B. Storage segmentation C. Containerization D. Rooting5. What feature enables users to secure sensitive information on a mobile device’s removable flash memory storage card? A. FDE B. UEM C. OTA updates D. VDI Answer 1: B. GPS services built in to mobile devices provide a number of useful services related to the location of the device. Answer A is incorrect because bring your own device (BYOD) is a model for allowing users to use their own devices in the workplace. Answer C is incorrect because MMS is used to send multimedia via text. Answer D is incorrect because OTA is a mechanism for updating software over the air. Answer 2: B. A mobile device management (MDM) solution helps with management of mobile devices, including remote management capabilities as well as policy enforcement. Answer A is incorrect because GPS relies on satellite technology to provide location services. Answers C and D are both incorrect but are important to ensuring authentication to the device and applications: OTP is a one-time password, usually for applications, and a PIN provides a means to authenticate into the device. Answer 3: A, B, and C are correct. BYOD, COPE, and CYOD are all deployment strategies for mobile devices in organizations. Answer D is not a mobile device deployment strategy, and thus it is incorrect. Answer 4: B and C are correct. Storage segmentation and containerization separate personal and business content on a device. They are necessary when an organization has a BYOD policy. These approaches are used in conjunction with MAM as a way to apply policies to mobile devices. Answers A and D are incorrect; illegally gaining administrative privileges on Apple iOS is called jailbreaking and on Android devices is called rooting. Answer 5: A. Full device encryption (FDE) enables users to secure sensitive information on a mobile device’s removable flash memory storage card. Answer B is incorrect because unified endpoint management (UEM) is a newer security approach that focuses on managing and securing all devices, including desktops, laptops, tablets, and smartphones, from a single location. Answer C is incorrect because mobile devices have the capability to receive and install over-the-air (OTA) systems and application updates that are pushed over Wi-Fi to devices. Answer D is incorrect because virtual desktop infrastructure (VDI) is the process by which an organization hosts virtual desktops on a centralized server.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.