Last updated April 12, 2021
As business operations increasingly rely on hosted data and software solutions, the importance of employee and customer data grows. This increased reliance is causing more and more companies to look to information security frameworks such as SOC 2 and ISO 27001 for guidance. Frameworks such as these put in place standardized security policies, procedures, techniques, plans, and actions so that an organization handles data responsibly and, should an incident arise, has a procedure in place for recovery.
Your organization may be working toward achieving SOC 2 or ISO 27001 compliance. Typically, organizations will contract a third party to assist them in this process and to conduct an audit for certification. This article outlines the functionalities of SimpleMDM that relate to these data security frameworks and can be used to achieve their data security requirements.
Perhaps the most helpful aspect of Apple MDM, as it relates to data security frameworks, is the ability to establish rules on how the devices store data, share data with applications, and interact with third-party web services.
Apple’s Automated Device Enrollment (formerly known as Apple DEP) is a program that allows businesses to purchase Apple equipment that is pre-configured to enroll with device management. Using this functionality, an organization can guarantee that their hardware, when powered on, will be under administrative control. Our guide on Automated Device Enrollment goes into great depth on this topic.
Additionally, SimpleMDM supports integration with your existing Identity Service Provider (IdP). If you already have controls around identity and password policy with your IdP, you can leverage those and require your users to authenticate before using their device for the first time and enrolling with SimpleMDM.
The passcode and screensaver configuration section of SimpleMDM allows you to specify password complexity, length, and history requirements. Additionally, inactivity limits before device lock can also be set. This allows you to set a baseline hygiene for your organizational passwords and ensures devices are not left unattended and unlocked.
The Restrictions functionality of SimpleMDM provides the ability to disable the use of Touch ID as well as auto-unlock features on iOS, should your organization deem them unsafe.
If a bad actor gets ahold of a physical device such as a notebook or iPhone, a strong password alone will not protect the data. The encryption configuration options within SimpleMDM can force devices to enable FileVault encryption and can also escrow a decryption key within SimpleMDM should you, the administrator, need to decrypt the device at a later time.
An adjacent functionality is the firmware password configuration for macOS. This allows further hardening of a device, requiring a password to access the macOS recovery utility and to boot off a different startup disk, both of which can be vectors for a physical attack on a device.
The Restrictions functionality can disable USB connections on devices when they are locked for added physical security. Additionally, for iOS, it can force backups to be encrypted.
The facilities for securing the transport of data are numerous. The following are options that you can tailor for the particular goals and requirements of your organization:
SimpleMDM provides a robust app management solution for both iOS and macOS. Using native MDM functionality, or optionally an on-device agent (read more about our Munki functionality), SimpleMDM can automatically install and configure security-minded software. We recommend considering the following options:
SimpleMDM can automatically keep this software up to date as well as provide a report of installed versions across your fleet of devices.
Should a device become compromised, SimpleMDM provides the following functionality, in increasing magnitude of control.
The configuration of devices in a deployment, when left unmonitored, can be a bit of a moving target. SimpleMDM includes a notification engine that detects if devices unenroll from SimpleMDM, have a configuration issue that prevents them from being managed, or if they haven’t been seen for a configurable amount of time. When this happens, administrators can optionally receive email notifications so that the devices can be brought back under management.
A read-only activity log is a necessary facility should there be concerns about device or management activity. SimpleMDM provides a log facility that tracks both configuration changes and actions performed on devices. This is useful when determining what actions were performed, when, and by whom.