Using MDM for SOC 2 and ISO 27001 Compliance

Last updated April 12, 2021

As business operations increasingly rely on hosted data and software solutions, the importance of employee and customer data grows. This increased reliance is causing more and more companies to look to information security frameworks such as SOC 2 and ISO 27001 for guidance. Frameworks such as these put in place standardized security policies, procedures, techniques, plans, and actions so that an organization handles data responsibly and, should an incident arise, has a procedure in place for recovery.

Your organization may be working toward achieving SOC 2 or ISO 27001 compliance. Typically, organizations will contract a third party to assist them in this process and to conduct an audit for certification. This article outlines the functionalities of SimpleMDM that relate to these data security frameworks and can be used to achieve their data security requirements.

Device Security Policies

Perhaps the most helpful aspect of Apple MDM, as it relates to data security frameworks, is the ability to establish rules on how the devices store data, share data with applications, and interact with third-party web services.

Forcing Management

Apple’s Automated Device Enrollment (formerly known as Apple DEP) is a program that allows businesses to purchase Apple equipment that is pre-configured to enroll with device management. Using this functionality, an organization can guarantee that their hardware, when powered on, will be under administrative control. Our guide on Automated Device Enrollment goes into great depth on this topic.

Additionally, SimpleMDM supports integration with your existing Identity Service Provider (IdP). If you already have controls around identity and password policy with your IdP, you can leverage those and require your users to authenticate before using their device for the first time and enrolling with SimpleMDM.

Passcode and Screen Lock

The passcode and screensaver configuration section of SimpleMDM allows you to specify password complexity, length, and history requirements. Additionally, inactivity limits before device lock can also be set. This allows you to set a baseline hygiene for your organizational passwords and ensures devices are not left unattended and unlocked.

The Restrictions functionality of SimpleMDM provides the ability to disable the use of Touch ID as well as auto-unlock features on iOS, should your organization deem them unsafe.

Data Encryption, Physical Protection

If a bad actor gets ahold of a physical device such as a notebook or iPhone, a strong password alone will not protect the data. The encryption configuration options within SimpleMDM can force devices to enable FileVault encryption and can also escrow a decryption key within SimpleMDM should you, the administrator, need to decrypt the device at a later time.

An adjacent functionality is the firmware password configuration for macOS. This allows further hardening of a device, requiring a password to access the macOS recovery utility and to boot off a different startup disk, both of which can be vectors for a physical attack on a device.

The Restrictions functionality can disable USB connections on devices when they are locked for added physical security. Additionally, for iOS, it can force backups to be encrypted.

Network Data Security

The facilities for securing the transport of data are numerous. The following are options that you can tailor for the particular goals and requirements of your organization:

  • Firewall: Force enable the network firewall on devices, blocking unsolicited traffic.
  • Global Web Proxy: Use the Global HTTP Proxy configuration to force devices to send all http requests through a proxy “choke point” of your choosing.
  • VPN: Configure a VPN account automatically for each device to provide a private data transport between the device and your VPN server.
  • Wireless Network: Users are more likely to use wireless networks when they are preconfigured. Use additional functionality in SimpleMDM to restrict a device to only use WiFi networks that are granted permission.
  • Restrictions functionality: The restrictions feature of SimpleMDM provides many granular controls over data transport and handling. Namely:
    • Disable AirDrop
    • Disable AirPrint
    • Require TLS and/or disable untrusted TLS for web connections
    • Managed Open-In: Restrict data export from managed apps and/or restrict data import to managed apps
    • Disable javascript, cookies, and other abused functionalities within Safari

Security Software

SimpleMDM provides a robust app management solution for both iOS and macOS. Using native MDM functionality, or optionally an on-device agent (read more about our Munki functionality), SimpleMDM can automatically install and configure security-minded software. We recommend considering the following options:

  • Password management
  • A secure/approved web browser
  • VPN software
  • Company-internal software

SimpleMDM can automatically keep this software up to date as well as provide a report of installed versions across your fleet of devices.

Incident Response and Remediation

Should a device become compromised, SimpleMDM provides the following functionality, in increasing magnitude of control.

  • Device Lock: The device is placed in a lock mode and cannot be used until the necessary passcode is provided.
  • Configuration Removal: The configurations, as supplied by SimpleMDM, are removed from the device. The non-MDM-related configurations and data remain on the device.
  • Device Wipe: The data on the device is completely erased and the device is returned to its factory default settings.

Auditing

The configuration of devices in a deployment, when left unmonitored, can be a bit of a moving target. SimpleMDM includes a notification engine that detects if devices unenroll from SimpleMDM, have a configuration issue that prevents them from being managed, or if they haven’t been seen for a configurable amount of time. When this happens, administrators can optionally receive email notifications so that the devices can be brought back under management.

A read-only activity log is a necessary facility should there be concerns about device or management activity. SimpleMDM provides a log facility that tracks both configuration changes and actions performed on devices. This is useful when determining what actions were performed, when, and by whom.

Leave a Reply

Your email address will not be published. Required fields are marked *

See Why Apple Admins Prefer SimpleMDM

Start My FREE 30-Day Trial Now
  • Moving MDMs: How to Migrate macOS Devices Between MDMs

    By on December 12, 2019
    Read more
  • How to Enroll an Apple TV in MDM - 3 Methods

    By on January 24, 2019
    Read more
  • How To Sign macOS PKGs for Deployment with MDM

    By on October 4, 2018
    Read more

See Why Apple Admins Prefer SimpleMDM No strings. No Spam.

Start My 30-Day Free Trial Now