📱 Mobile Device Management Skill

🎯 Purpose

This skill enforces mobile device management (MDM) controls for BYOD (Bring Your Own Device) environments, personal device security requirements, and endpoint protection. Based on Hack23 AB's Mobile Device Management Policy, it demonstrates enterprise-grade MDM without enterprise infrastructure.

Key Principle: "BYOD means 'Bring Your Own Disaster'—but only if devices remain unmanaged."

📚 Scope

This skill covers:

📱 BYOD Policy: Personal device security requirements for business use
🔐 Endpoint Protection: Encryption, malware protection, device health
📲 Mobile App Security: Approved apps, containerization, data separation
🔒 Device Encryption: Full device encryption requirements
☁️ Remote Wipe: Data protection for lost/stolen devices
📊 Compliance Monitoring: MDM enrollment, policy enforcement, auditing

⚙️ Security Rules

MUST Requirements

Mobile device controls you MUST implement:

📱 Device Enrollment & Policy

mdm_requirements: enrollment: pre_enrollment: - device_assessment: verify_os_version_and_security_status - ownership: personal_device_acknowledged - consent: user_agrees_to_MDM_policies_and_remote_wipe

enrollment_platforms:
  aws_workmail:
    email_access: mdm_profile_required_for_corporate_email
    enforcement: email_not_delivered_until_enrolled
  
  alternative_mdm:
    intune: supported_for_future_employee_devices
    jamf: supported_for_ios_macos_fleet
    workspace_one: supported_for_enterprise_deployment

policy_enforcement: mandatory_controls: - device_encryption: full_device_encryption_required - screen_lock: automatic_lock_5_minutes_maximum - passcode_complexity: 6_digit_minimum_or_biometric - os_updates: critical_security_patches_within_30_days - jailbreak_detection: rooted_jailbroken_devices_blocked

🔐 Encryption & Authentication

device_security: encryption: ios_devices: - device_encryption: enabled_by_default_ios_8_and_later - verification: mdm_reports_encryption_status - backup_encryption: icloud_backup_encrypted

android_devices:
  - device_encryption: mandatory_android_10_and_later
  - verification: mdm_checks_encryption_status
  - sd_card: external_storage_encrypted_if_used

workstations:
  - ubuntu_luks: full_disk_encryption_mandatory
  - windows_bitlocker: required_for_windows_devices
  - macos_filevault: required_for_mac_devices

authentication: mobile_devices: - screen_lock: biometric_preferred_pin_backup - timeout: 5_minutes_idle_maximum - failed_attempts: 10_attempts_before_wipe_or_lockout

mfa_requirements:
  - totp: google_authenticator_or_authy_required
  - hardware_tokens: yubikey_for_critical_systems
  - sms_backup: acceptable_but_not_primary_method

- 📲 App Management & Containerization

application_control: corporate_email: approved_email_apps: - ios_native_mail: with_aws_workmail_mdm_profile - android_gmail: with_workmail_integration - outlook_mobile: with_workmail_configuration

data_separation:
  - corporate_container: email_calendar_contacts_isolated
  - personal_data: unaffected_by_selective_wipe
  - copy_paste: restricted_from_corporate_to_personal_apps

business_apps: approved_list: - authenticator: google_authenticator_authy_microsoft - secure_messaging: signal_for_confidential_communications - cloud_access: aws_console_github_mobile - vpn: wireguard_openvpn_for_network_access

prohibited_apps:
  - file_sharing: dropbox_personal_google_drive_personal
  - messaging: whatsapp_telegram_for_business_data
  - vpn: free_untrusted_vpn_services
  - remote_access: teamviewer_anydesk_without_approval

- ☁️ Remote Wipe & Device Loss

remote_management: wipe_capabilities: selective_wipe: scope: corporate_email_contacts_calendar_only trigger: device_loss_employment_termination user_impact: personal_data_photos_apps_unaffected process: - aws_workmail_console: select_device_initiate_wipe - verification: confirm_wipe_completion_within_24_hours - documentation: record_in_incident_response_log

full_device_wipe:
  scope: entire_device_factory_reset
  trigger: theft_suspected_compromise_high_risk_scenario
  user_impact: all_data_lost_device_unusable
  process:
    - find_my_iphone: ios_devices_remote_wipe
    - find_my_device: android_devices_remote_wipe
    - mdm_console: enterprise_mdm_full_wipe_command

device_loss_procedure: immediate_actions: - within_30_minutes: - disable_credentials: aws_github_google_accounts - initiate_wipe: selective_or_full_based_on_risk - change_passwords: all_accounts_accessed_from_device

follow_up_actions:
  - within_24_hours:
      - review_logs: check_for_unauthorized_access
      - notify_stakeholders: inform_clients_if_data_exposure_risk
      - update_asset_register: mark_device_as_lost_stolen
      - police_report: file_if_theft_suspected

- 📊 Monitoring & Compliance

compliance_monitoring: mdm_dashboards: aws_workmail_console: metrics: - device_enrollment_status: active_pending_blocked - encryption_compliance: percentage_encrypted_devices - os_version_currency: devices_within_30_day_update_window - policy_violations: jailbreak_attempts_screen_lock_disabled

review_frequency:
  - daily: critical_alerts_jailbreak_encryption_disabled
  - weekly: os_update_status_app_compliance
  - monthly: full_mdm_compliance_report_and_documentation

device_health_checks: automated_checks: - encryption_status: mdm_verifies_daily - os_version: alert_if_30_days_behind_latest - jailbreak_detection: immediate_alert_and_block - malware_detection: os_native_av_plus_mdm_scanning

manual_verification:
  - quarterly_audit: physical_inspection_of_device_security
  - annual_review: update_mdm_policies_based_on_threats

MUST NOT Prohibitions

Mobile device practices you MUST NOT do:

❌ Unmanaged Device Access

prohibited_practices:

email_without_mdm: accessing_corporate_email_on_unenrolled_devices
jailbroken_devices: using_rooted_jailbroken_devices_for_business
outdated_os: devices_more_than_60_days_behind_security_patches
disabled_encryption: turning_off_device_encryption_for_any_reason
shared_devices: using_shared_family_devices_for_corporate_access

❌ Insecure Practices

dangerous_behaviors:

public_wifi: accessing_sensitive_data_without_vpn_on_public_networks
sideloading_apps: installing_apps_from_untrusted_sources
disabled_screen_lock: removing_passcode_biometric_authentication
unsecured_backup: unencrypted_backups_to_computers_or_cloud
app_permissions: granting_excessive_permissions_to_untrusted_apps

❌ Data Leakage

prohibited_data_handling:

unencrypted_storage: storing_corporate_data_in_personal_cloud_apps
screenshot_sharing: taking_screenshots_of_sensitive_corporate_data
personal_messaging: forwarding_corporate_emails_to_personal_accounts
unsecured_forwarding: auto_forwarding_work_email_to_personal_email
file_attachments: downloading_sensitive_files_to_personal_storage

💡 Examples

Example 1: iOS Device Enrollment (Compliant)

Scenario: Enrolling personal iPhone for corporate email access.

iOS Device MDM Enrollment

device_enrollment: device_info: model: iPhone_14_Pro os_version: iOS_17.2 ownership: personal_device purpose: corporate_email_and_mfa

pre_enrollment_checklist: - device_backup: icloud_backup_completed_before_mdm - os_update: ios_updated_to_latest_version - find_my_iphone: enabled_for_remote_wipe_capability - passcode: strong_passcode_configured_6_digits_minimum

enrollment_process: step_1_aws_workmail_setup: - open_settings: navigate_to_mail_accounts_add_account - select_exchange: enter_hack23_com_email_address - accept_mdm_profile: tap_install_when_prompted - authenticate: enter_email_password_accept_mfa_challenge

step_2_mdm_configuration:
  policies_applied:
    - device_encryption: verified_enabled
    - screen_lock: automatic_after_5_minutes
    - passcode_requirement: 6_digit_minimum_enforced
    - jailbreak_detection: enabled_will_block_if_detected
    - app_restrictions: corporate_data_containerized

step_3_verification:
  - send_test_email: verify_email_delivery_to_device
  - check_calendar: confirm_calendar_sync_working
  - test_screen_lock: ensure_automatic_lock_activates
  - mdm_console: verify_device_shows_compliant_in_aws_workmail

post_enrollment: security_configuration: - install_authenticator: google_authenticator_for_mfa - configure_vpn: wireguard_vpn_for_aws_console_access - install_approved_apps: signal_aws_console_github_mobile - test_remote_wipe: verify_find_my_iphone_accessible

user_training:
  - data_separation: explain_corporate_vs_personal_data
  - remote_wipe: acknowledge_selective_wipe_capability
  - incident_reporting: know_procedure_for_device_loss
  - policy_compliance: review_mobile_device_policy

Result: ✅ Compliant - Device enrolled with full MDM protection

ISO 27001:2022 Mapping:

A.8.1: User endpoint devices
A.7.9: Security of assets off-premises
A.5.19: Information security in supplier relationships (AWS WorkMail MDM)

Example 2: Android Device with Work Profile (Compliant)

Scenario: Setting up Android work profile for data separation.

Android Work Profile Configuration

android_work_profile: device_info: model: Samsung_Galaxy_S23 os_version: Android_14 ownership: personal_device byod_approach: work_profile_for_separation

work_profile_setup: enrollment: - install_company_portal: download_from_google_play_if_using_intune - configure_email: add_exchange_account_prompts_work_profile - accept_policies: agree_to_mdm_enrollment_and_remote_wipe

profile_configuration:
  work_container:
    apps:
      - gmail: work_profile_version_for_corporate_email
      - calendar: work_profile_calendar_for_business
      - contacts: work_profile_contacts_separate_from_personal
      - authenticator: work_profile_google_authenticator
    
    security:
      - separate_encryption: work_profile_encrypted_independently
      - separate_lock: work_profile_can_have_different_password
      - data_isolation: work_apps_cannot_access_personal_data
  
  personal_container:
    apps:
      - gmail: personal_gmail_unaffected_by_mdm
      - photos: personal_photos_not_visible_to_work_profile
      - social_media: personal_apps_separate_from_business
    
    protection:
      - unaffected_by_selective_wipe: personal_data_safe
      - no_corporate_access: personal_apps_cannot_access_work_data

security_controls: enforced_policies: - work_profile_encryption: mandatory_for_enrollment - screen_lock: required_after_5_minutes_idle - password_complexity: 6_character_minimum - device_admin: mdm_has_device_admin_permissions - remote_wipe: selective_wipe_removes_work_profile_only

monitoring:
  - compliance_checks: mdm_verifies_work_profile_security_daily
  - policy_violations: alerts_if_rooted_or_policies_disabled
  - app_inventory: mdm_tracks_apps_in_work_profile_only

Result: ✅ Compliant - Strong data separation with work profile

Benefits:

🔐 Corporate data protected in encrypted work profile
📱 Personal data unaffected by MDM policies
☁️ Selective wipe removes work profile only
👤 User privacy maintained for personal apps

Example 3: Remote Wipe After Device Theft (Incident Response)

Scenario: iPhone stolen from restaurant table, immediate response required.

❌ Initial Situation:

CRITICAL INCIDENT - Device Theft

incident_details: date_time: 2026-02-10_19:30_UTC location: restaurant_stockholm_sweden device: iPhone_14_Pro_MOB-001 circumstances: left_on_table_during_bathroom_visit_stolen data_at_risk: - corporate_email: 6_months_of_client_communications - aws_console: mobile_app_logged_in_with_session - github: mobile_app_with_push_notifications - signal: encrypted_messages_with_clients - authenticator: totp_tokens_for_all_business_accounts

✅ Immediate Response (Within 30 Minutes):

PHASE 1: Credential Lockdown

credential_actions:

00:00_discovery: realize_phone_missing_immediately_report
00:05_passwords:
- aws: change_root_and_iam_user_passwords
- github: change_password_revoke_active_sessions
- google: change_password_revoke_device_sessions
- email: change_aws_workmail_password
00:10_mfa_reset:
- disable_totp: temporarily_disable_totp_on_all_accounts
- use_backup_codes: switch_to_backup_authentication_codes
- hardware_token: use_yubikey_as_primary_mfa
00:15_device_control: action: initiate_full_device_wipe method: find_my_iphone steps: - login_icloud: from_workstation_browser - select_device: iPhone_14_Pro - initiate_wipe: full_device_erase_selected - activation_lock: mark_as_lost_with_message

aws_workmail_action: - login_console: aws_workmail_admin_console - select_device: MOB-001_iPhone_14_Pro - selective_wipe: remove_corporate_email_calendar_contacts - block_device: prevent_future_enrollment_from_this_device_id

PHASE 2: Monitoring & Investigation

follow_up_24_hours:

review_logs:
- aws_cloudtrail: check_for_unauthorized_console_access
- github_audit_log: review_repository_access_attempts
- email_logs: check_for_sent_emails_after_theft
assess_exposure:
- data_classification: mostly_HIGH_some_CRITICAL_client_data
- breach_notification: assess_gdpr_breach_notification_requirement
- client_impact: determine_if_client_notification_needed
documentation:
- incident_log: record_in_incident_response_plan
- asset_register: update_device_status_to_STOLEN
- risk_register: update_device_theft_risk_with_actual_incident
- police_report: file_theft_report_with_local_police
recovery:
- procurement: order_replacement_iPhone
- restore: restore_from_icloud_backup_to_new_device
- re_enroll: enroll_new_device_in_aws_workmail_mdm
- verify: confirm_all_security_controls_active

PHASE 3: Lessons Learned

improvements:

policy_update:
- restaurant_policy: no_devices_left_unattended_in_public
- screen_lock_timeout: reduce_to_2_minutes_for_public_spaces
- critical_app_review: remove_aws_console_from_mobile_device
technical_controls:
- bluetooth_tracker: attach_airtag_to_phone_case
- screen_lock_reminder: enable_ios_attention_aware_feature
- backup_frequency: increase_icloud_backup_to_daily

Result: ✅ Incident Contained - Data exposure prevented through rapid response

Key Takeaways:

⚡ Speed matters: 30-minute credential lockdown window is critical
🔐 Remote wipe capability is essential for BYOD
📝 Documentation enables effective incident response
🔄 Lessons learned improve future security posture

🔗 Integration Points

ISMS Policy Integration

This skill implements controls from:

Mobile Device Management Policy - Complete MDM framework
Access Control Policy - Authentication and MFA requirements
Cryptography Policy - Device encryption standards
Information Security Policy - Overall security framework
Incident Response Plan - Device loss procedures

Related Security Skills

physical-security - Equipment protection and device loss prevention
access-control - Authentication, MFA, and session management
cryptography - Device and data encryption requirements
network-security - VPN and secure network access from mobile devices

Compliance Frameworks

ISO 27001:2022 Controls:

A.8.1 - User endpoint devices (MDM enrollment and policy enforcement)
A.7.9 - Security of assets off-premises (mobile device protection)
A.5.19 - Information security in supplier relationships (AWS WorkMail MDM)
A.5.23 - Information security for use of cloud services (MDM cloud platform)
A.6.4 - Access to networks and network services (mobile network access control)

NIST CSF 2.0 Functions:

PR.AC-01 - Identities and credentials managed for authorized devices (MDM enrollment)
PR.AC-03 - Remote access is managed (mobile device remote management)
PR.DS-01 - Data-at-rest is protected (device encryption)
PR.PT-01 - Audit/log records are determined and managed (MDM compliance logging)
DE.CM-01 - Networks and environments are monitored (mobile device health monitoring)
RS.RP-01 - Response plan is executed (device loss incident response)

CIS Controls v8.1:

1.1 - Establish and maintain detailed enterprise asset inventory (mobile device tracking)
4.1 - Establish and maintain a secure configuration process (MDM policy enforcement)
10.5 - Enable anti-exploitation features (mobile OS security features)
12.8 - Establish and maintain dedicated computing resources for high-value assets (work profile separation)
3.3 - Configure data access control lists (app containerization)

🎯 Best Practices

MDM Platform Selection

AWS WorkMail MDM (Current Implementation):

advantages:

cost: included_with_email_service_no_additional_licensing
integration: native_aws_workmail_email_integration
simplicity: suitable_for_single_person_company
capabilities:
- selective_wipe: removes_email_calendar_contacts_only
- policy_enforcement: encryption_screen_lock_os_version
- compliance_monitoring: dashboard_shows_device_status

limitations:

basic_features: fewer_advanced_controls_than_enterprise_mdm
platform_support: primarily_mobile_devices_not_workstations
app_management: limited_app_distribution_capabilities
reporting: basic_compliance_reports_not_detailed_analytics

suitable_for:

small_businesses: 1-50_employees
email_focused: primary_use_case_is_corporate_email
budget_conscious: no_additional_mdm_licensing_costs

Enterprise MDM Platforms (Future Scaling):

microsoft_intune: best_for: windows_office_365_environments features: - conditional_access: azure_ad_integration - app_protection: without_full_device_enrollment - windows_management: autopilot_deployment cost: included_with_microsoft_365_e3_e5

jamf: best_for: apple_device_fleets_ios_macos features: - zero_touch_deployment: apple_dep_integration - advanced_inventory: detailed_device_management - custom_app_deployment: enterprise_app_distribution cost: per_device_annual_subscription

vmware_workspace_one: best_for: multi_platform_large_enterprises features: - unified_endpoint_management: all_device_types - workspace_integration: app_virtualization - advanced_analytics: device_usage_insights cost: per_device_tiered_pricing

Device Lifecycle Management

Mobile Device Lifecycle

1. Pre-Enrollment

Assess business need for mobile device
Verify device OS meets minimum version requirements
Obtain user consent for MDM enrollment (BYOD)
Document device in Asset Register

2. Enrollment

Install MDM profile (AWS WorkMail, Intune, Jamf)
Verify encryption enabled
Configure screen lock and timeout
Test remote wipe capability
Install approved business apps
Configure VPN for secure access

3. Operational Use

Monthly MDM compliance review
Quarterly OS update verification
Semi-annual app inventory audit
Annual policy acknowledgment

4. Incident Response

Device loss: Immediate credential lockdown
Remote wipe: Selective or full based on risk
Log review: Check for unauthorized access
Documentation: Update incident log

5. Retirement

Remove from MDM console
Selective wipe of corporate data
Update Asset Register status
Document disposal method

BYOD Security Tiers

Classification Email Access App Restrictions Monitoring Remote Wipe

🔴 Critical Work Profile Only Approved Apps Only Continuous Full Wipe

🟠 High MDM Required Approved + Restricted Daily Check Selective Wipe

🟡 Medium MDM Recommended Guidance Provided Weekly Check Selective Wipe

🟢 Low Basic Security General Guidelines Monthly Check Email Only

📊 Risk Mitigation

Mobile Device Threats

Threat Impact Likelihood Risk Level Mitigation

Device Theft 🔴 Critical 🟡 Medium 🔴 High Encryption, remote wipe, screen lock

Malware 🟠 High 🟡 Medium 🟠 High OS-native AV, app approval, MDM scanning

Phishing 🟠 High 🔴 High 🔴 High User training, email filtering, MFA

Jailbreak/Root 🟠 High 🟢 Low 🟡 Medium MDM detection, device blocking

Public WiFi 🟡 Medium 🔴 High 🟠 High VPN mandatory, TLS enforcement

App Vulnerabilities 🟡 Medium 🟠 High 🟠 High OS updates, app approval process

Data Leakage 🔴 Critical 🟡 Medium 🔴 High Containerization, DLP, monitoring

🔍 Validation & Testing

MDM Compliance Check

#!/bin/bash

MDM Compliance Verification Script

echo "📱 Hack23 AB - MDM Compliance Check" echo "=====================================" echo ""

Check AWS WorkMail MDM Enrollment Status

echo "🔍 Checking MDM Enrollment..." read -p "Is device enrolled in AWS WorkMail MDM? (yes/no): " mdm_enrolled

if [ "$mdm_enrolled" != "yes" ]; then echo "❌ CRITICAL: Device not enrolled in MDM - email access should be blocked" echo "📝 Action: Enroll device immediately or discontinue corporate email use" exit 1 fi

Check Encryption Status

echo "" echo "🔐 Checking Encryption Status..." read -p "Is full device encryption enabled? (yes/no): " encryption_enabled

if [ "$encryption_enabled" != "yes" ]; then echo "❌ CRITICAL: Device encryption disabled" echo "📝 Action: Enable device encryption immediately" exit 1 fi

Check Screen Lock

echo "" echo "🔒 Checking Screen Lock Configuration..." read -p "Is automatic screen lock enabled (<5 min)? (yes/no): " screen_lock

if [ "$screen_lock" != "yes" ]; then echo "⚠️ WARNING: Screen lock timeout too long or disabled" echo "📝 Action: Configure automatic lock within 5 minutes" fi

Check OS Version

echo "" echo "📲 Checking OS Version Currency..." read -p "Is OS version within 30 days of latest release? (yes/no): " os_current

if [ "$os_current" != "yes" ]; then echo "⚠️ WARNING: OS version outdated" echo "📝 Action: Install latest OS security updates" fi

Check Jailbreak/Root Status

echo "" echo "🛡️ Checking Device Integrity..." read -p "Is device NOT jailbroken/rooted? (yes/no): " not_jailbroken

if [ "$not_jailbroken" != "yes" ]; then echo "❌ CRITICAL: Jailbroken/rooted device detected" echo "📝 Action: Restore device to factory settings or use different device" exit 1 fi

Check Remote Wipe Capability

echo "" echo "☁️ Checking Remote Wipe Capability..." read -p "Is remote wipe capability tested and functional? (yes/no): " remote_wipe

if [ "$remote_wipe" != "yes" ]; then echo "⚠️ WARNING: Remote wipe not verified" echo "📝 Action: Verify Find My iPhone/Android Device Manager accessible" fi

Final Report

echo "" echo "=====================================" echo "✅ MDM Compliance Check Complete" echo "" echo "📝 Review MDM console for detailed device status:" echo " AWS WorkMail: https://console.aws.amazon.com/workmail/" echo "" echo "🔄 Next Review: Monthly compliance check scheduled"

🎓 Training & Awareness

Mobile Security Awareness

The Five Essential MDM Controls:

Device Enrollment: Register before access, know what's connecting
Policy Enforcement: Require encryption, screen locks, updates
App Management: Control what apps access what data
Remote Wipe: Lost device? Delete corporate data
Monitoring & Compliance: Track compliance, detect anomalies

BYOD Reality:

Personal devices bypass perimeters, roam networks, install apps
Accept BYOD reality, implement pragmatic controls
Maintain ability to protect corporate data when devices compromised

Resources

Mobile Device Management Policy: View on GitHub
ISO 27001:2022 A.8: User endpoint devices
NIST SP 800-124 Rev. 2: Guidelines for Managing the Security of Mobile Devices in the Enterprise
CIS Mobile Device Security Guide: iOS and Android security benchmarks

📋 Document Control

Skill Metadata:

Version: 1.0
Last Updated: 2026-02-10
Review Cycle: Semi-Annual
Owner: Hack23 AB Security Team
Classification:

Framework Compliance:

License: Apache-2.0

Repository: https://github.com/Hack23/homepage

mobile device management

Safety Notice

Copy this and send it to your AI assistant to learn