The folks at JITCO Partners, an IT consulting firm, have identified a potential security hole in the way most Mobile Device Management (MDM) solutions provision Exchange mail to mobile devices. Basically, they suggest a scenario in which the user self-provisions a second email profile, in addition to the one received via MDM software.
"Almost every single MDM solution out there only authenticates the device for access to your corporate ActiveSync servers, not the client. Sure, you can set policies that only allow a single client be used, but theres nothing stopping that single client from creating multiple profiles. So the device ID is allowed, the client being used is authorized as defined by your policies, and that's it, thats the extent of the authentication and it doesn't matter how many profiles are downloading replica copies of the same content. So why exactly is this a problem?"
As they point out, even an Exchange gateway designed to block unauthorized clients will not prevent this, because the client, and device, and user would all be authorized. This is a very legitimate concern, and for BYOD users, who are already accustomed to self-provisioning, it would not take a great deal of technical savvy.
Fortunately for Absolute Manage users, our solution is not susceptible to this vulnerability. The reason is that Absolute Manage can deploy Exchange profiles with embedded certificates for user authentication, rather than passwords. Combined with an Exchange server configured to allow only certificate-based authentication by mobile devices, this prevents self-provisioning by users, and maintains the company's ability to selectively remove corporate email from employee-owned devices.
Additionally, certificate-based authentication empowers users. By not requiring password entry, or even periodic password changes, it enables users to receive email, and be productive, with fewer hoops to jump through.
Empowering users and securing company resources – it's what we do.