NIST SPECIAL PUBLICATION 1800-22

---

Mobile Device Security:

Mobile Device Security:

Bring Your Own Device (BYOD)

---

Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)

Kaitlin Boeckl

Nakia Grayson

Gema Howell

Naomi Lefkovitz

Jason Ajmo

R. Eugene Craft

Milissa McGinnis*

Kenneth Sandlin

Oksana Slivina

Julie Snyder

Paul Ward

*Former employee; all work for this publication done while at employer

FINAL

This publication is available free of charge from https://doi.org/10.6028/NIST.SP.1800-22

NIST SPECIAL PUBLICATION 1800-22

Mobile Device Security: Bring Your Own Device (BYOD)

Includes Executive Summary (A); Approach, Architecture, and Security Characteristics (B); and How-To Guides (C)

Kaitlin Boeckl

Nakia Grayson

Gema Howell

Naomi Lefkovitz

Applied Cybersecurity Division

Information Technology Laboratory

Jason Ajmo

R. Eugene Craft

Milissa McGinnis*

Kenneth Sandlin

Oksana Slivina

Julie Snyder

Paul Ward

The MITRE Corporation

McLean, VA

**Former employee; all work for this publication done while at employer.

FINAL

September 2023

U.S. Department of Commerce

Gina M. Raimondo, Secretary

National Institute of Standards and Technology

Laurie E. Locascio, NIST Director and Under Secretary of Commerce for Standards and Technology

Volume A

• Executive Summary
  • Challenge
  • Solution
  • How to Use This Guide
  • Share Your Feedback
  • Collaborators

Volume B

• 1 Summary
  • 1.1 Challenge
  • 1.2 Solution
    • 1.2.1 Standards and Guidance
    • 1.2.2 Benefits of this Example Solution
• 2 How to Use This Guide
  • 2.1 Typographic Conventions
• 3 Approach
  • 3.1 Audience
  • 3.2 Scope
  • 3.3 Assumptions
  • 3.4 Risk Assessment
    • 3.4.1 Security Threats
    • 3.4.2 Vulnerabilities
    • 3.4.3 Problematic Data Actions
    • 3.4.4 Risks
  • 3.5 Applying Risk Assessments to this BYOD Example Solution
• 4 Architecture
  • 4.1 Common BYOD Risks and Potential Objectives to Remediate Those Risks
    • 4.1.1 Threat Events
    • 4.1.2 Privacy Risks
      • 4.1.2.1 Privacy Risk Examples and Mitigation Methodologies
    • 4.1.3 Security and Privacy Objectives
  • 4.2 Example Scenario: Putting Guidance into Practice
  • 4.3 Technologies that Support the Security and Privacy Objectives of the Example Solution
    • 4.3.1 Trusted Execution Environment
    • 4.3.2 Enterprise Mobility Management
    • 4.3.3 Virtual Private Network
    • 4.3.4 Mobile Application Vetting Service
    • 4.3.5 Mobile Threat Defense
    • 4.3.6 Mobile Operating System Capabilities
      • 4.3.6.1 Secure Boot
      • 4.3.6.2 Device Attestation
      • 4.3.6.3 Mobile Device Management Application Programming Interfaces
      • 4.3.6.4 iOS App Transport Security
      • 4.3.6.5 Android Network Security Configuration
      • 4.3.6.6 Application Sandboxing
  • 4.4 Architecture Description
  • 4.5 Enterprise Integration of the Employees’ Personally Owned Mobile Devices
    • 4.5.1 Microsoft Active Directory Integration
    • 4.5.2 Mobile Device Enrollment
  • 4.6 Mobile Components Integration
    • 4.6.1 Zimperium–MaaS360
    • 4.6.2 Kryptowire–MaaS360
    • 4.6.3 Palo Alto Networks–MaaS360
    • 4.6.4 iOS and Android MDM Integration
  • 4.7 Privacy Settings: Mobile Device Data Processing
    • 4.7.1 EMM: MaaS360
    • 4.7.2 MTD: Zimperium
    • 4.7.3 Application Vetting: Kryptowire
    • 4.7.4 VPN: Palo Alto Networks
• 5 Security and Privacy Analysis
  • 5.1 Analysis Assumptions and Limitations
  • 5.2 Build Testing
  • 5.3 Scenarios and Findings
    • 5.3.1 Cybersecurity Framework, Privacy Framework, and NICE Framework Work Roles Mappings
    • 5.3.2 Threat Events and Findings
    • 5.3.3 Privacy Risk Findings
• 6 Example Scenario: Putting Guidance into Practice
• 7 Conclusion
• 8 Future Build Considerations
• Appendix A List of Acronyms
• Appendix B Glossary
• Appendix C References
• Appendix D Standards and Guidance
• Appendix E Example Security Subcategory and Control Map
• Appendix F Example Privacy Subcategory and Control Map

Supplement

• 1 Applying This Build: Example Scenario
  • 1.1 Standards and Guidance Used in this Example Scenario
• 2 About Great Seneca Accounting
  • 2.1 Great Seneca Accounting’s Business/Mission Objectives
• 3 Great Seneca Accounting’s Target Profiles
• 4 Great Seneca Accounting Embraces BYOD
• 5 Applying NIST Risk Management Methodologies to Great Seneca Accounting’s BYOD Architecture
  • 5.1 Using Great Seneca Accounting’s Target Profiles
  • 5.2 Great Seneca Uses the Target Profiles to Help Prioritize Security and Privacy Control Deployment
    • 5.2.1 Identifying and Tailoring the Baseline Controls
  • 5.3 Great Seneca Accounting Performs a Risk Assessment
  • 5.4 Great Seneca Accounting Tailors Their Security and Privacy Control Baselines
    • 5.4.1 An Example Tailoring of the System and Communications Protection Security Control Family
• Appendix A List of Acronyms
• Appendix B Glossary
• Appendix C References
• Appendix D A Note Regarding Great Seneca Accounting
• Appendix E How Great Seneca Accounting Applied NIST Risk Management Methodologies
  • E.1 Overview of Risk Frameworks and Tools That Great Seneca Used
    • E.1.1 Overview of the NIST Cybersecurity Framework
    • E.1.2 Overview of the NIST Privacy Framework
    • E.1.3 Overview of the NIST Risk Management Framework
    • E.1.4 Overview of the NIST Privacy Risk Assessment Methodology
  • E.2 Using Frameworks to Establish or Improve Cybersecurity and Privacy Programs
• Appendix F How Great Seneca Accounting Used the NIST Risk Management Framework
  • F.1 Understanding the Risk Assessment Process
  • F.2 Risk Assessment of Great Seneca Accounting’s BYOD Program
  • F.3 Development of Threat Event Descriptions
  • F.4 Great Seneca Accounting’s Leadership and Technical Teams Discuss BYOD’s Potential Threats to Their Organization
    • F.4.1 Threat Event 1
    • F.4.2 Threat Event 2
    • F.4.3 Threat Event 3
    • F.4.4 Threat Event 4
    • F.4.5 Threat Event 5
    • F.4.6 Threat Event 6
    • F.4.7 Threat Event 7
    • F.4.8 Threat Event 8
    • F.4.9 Threat Event 9
    • F.4.10 Threat Event 10
    • F.4.11 Threat Event 11
    • F.4.12 Threat Event 12
  • F.5 Identification of Vulnerabilities and Predisposing Conditions
  • F.6 Summary of Risk Assessment Findings
• Appendix G How Great Seneca Accounting Used the NIST Privacy Risk Assessment Methodology
  • G.1 Privacy Risk 1: Wiping Activities on the User’s Device May Inadvertently Delete the User’s Personal Data
  • G.2 Privacy Risk 2: Organizational Collection of Device Data May Subject Users to Feeling or Being Surveilled
  • G.3 Privacy Risk 3: Data Collection and Transmission Between Integrated Security Products May Expose User Data
  • G.4 Mitigations Applicable Across Various Privacy Risks
  • G.5 Privacy References for Example Solution Technologies

Volume C

• 1 Introduction
  • 1.1 Practice Guide Structure
  • 1.2 Build Overview
  • 1.3 Typographic Conventions
  • 1.4 Logical Architecture Summary
• 2 Product Installation Guides
  • 2.1 Network Device Enrollment Services Server
    • 2.1.1 NDES Configuration
  • 2.2 International Business Machines MaaS360
    • 2.2.1 Cloud Extender
      • 2.2.1.1 Cloud Extender Download
      • 2.2.1.2 Cloud Extender Active Directory Configuration
      • 2.2.1.3 MaaS360 Portal Active Directory Authentication Configuration
      • 2.2.1.4 Cloud Extender NDES Integration
    • 2.2.2 Android Enterprise Configuration
    • 2.2.3 iOS APNs Certificate Configuration
    • 2.2.4 Apple User Enrollment (UE) Configuration
      • 2.2.4.1 Apple Business Manager (ABM) Configuration
      • 2.2.4.2 MaaS360 Configuration
    • 2.2.5 Android Configuration
      • 2.2.5.1 Policy Configuration
      • 2.2.5.2 VPN Configuration
    • 2.2.6 iOS Configuration
      • 2.2.6.1 Policy Configuration
      • 2.2.6.2 VPN Configuration
  • 2.3 Zimperium
    • 2.3.1 Zimperium and MaaS360 Integration
    • 2.3.2 Automatic Device Activation
    • 2.3.3 Enforce Application Compliance
    • 2.3.4 MaaS360 Risk Posture Alerts
  • 2.4 Palo Alto Networks Virtual Firewall
    • 2.4.1 Network Configuration
    • 2.4.2 Demilitarized Zone Configuration
    • 2.4.3 Firewall Configuration
    • 2.4.4 Certificate Configuration
    • 2.4.5 Website Filtering Configuration
      • 2.4.5.1 Configure Basic Website Blocking
      • 2.4.5.2 Configure SSL Website Blocking
    • 2.4.6 User Authentication Configuration
    • 2.4.7 VPN Configuration
      • 2.4.7.1 Configure the GlobalProtect Gateway
      • 2.4.7.2 Configure the GlobalProtect Portal
      • 2.4.7.3 Activate Captive Portal
      • 2.4.7.4 Activate the GlobalProtect Client
    • 2.4.8 Enable Automatic Application and Threat Updates
  • 2.5 Kryptowire
    • 2.5.1 Kryptowire and MaaS360 Integration
• Appendix A List of Acronyms
• Appendix B Glossary
• Appendix C References
• Appendix D Example Solution Lab Build Testing Details
  • D.1 Threat Event 1 – Unauthorized Access to Sensitive Information Via a Malicious or Intrusive Application Practices
  • D.2 Threat Event 2 – Theft of Credentials Through a Short Message Service or Email Phishing Campaign
  • D.3 Threat Event 3 – Confidentiality and Integrity Loss Due to Exploitation of Known Vulnerability in the OS or Firmware
  • D.4 Threat Event 4 – Loss of Confidentiality of Sensitive Information Via Eavesdropping on Unencrypted Device Communications
  • D.5 Threat Event 5 – Compromise of Device Integrity Via Observed, Inferred, or Brute-Forced Device Unlock Code
  • D.6 Threat Event 6 – Unauthorized Access to Backend Services Via Authentication or Credential Storage Vulnerabilities in Internally Developed Applications
  • D.7 Threat Event 7 – Unauthorized Access of Enterprise Resources From an Unmanaged and Potentially Compromised Device
  • D.8 Threat Event 8 – Loss of Organizational Data Due to a Lost or Stolen Device
  • D.9 Threat Event 9 – Loss of Confidentiality of Organizational Data Due to its Unauthorized Storage in Non-Organizationally Managed Services
  • D.10 Privacy Risk 1 – Wiping Activities on the Employee’s Device May Inadvertently Delete the Employee’s Personal Data
  • D.11 Privacy Risk 2 – Organizational Collection of Device Data May Subject Employees to Feeling or Being Surveilled
  • D.12 Privacy Risk 3 – Data Collection and Transmission Between Integrated Security Products May Expose Employee Data
  • D.13 Privacy Risk 4 – Employees Might Feel Compelled to Participate in Data Processing Practices Inconsistent with Expectations
  • D.14 Privacy Risk 5 – Unauthorized or Invasive Application Processing of Information Exposes Employee Data