Acceptable use policy (AUP)
Back to our story, Roger got you connected to the corporate network via your smart device. You now have an e-mail access to the corporate mobile expense system; all is good in your world. Later that day, you receive a message titled Corporate Mobile Acceptable Use Policy.
The corporate mobile acceptable use policy is starting to be used by many companies. This policy describes how you can use the device and/or access to the corporate networks. The standard acceptable use policy (AUP) normally includes what you can and can't do on the corporate network. Many people find this to be a basic conflict of rights due to the fact that the device was purchased by the end user. This book does not review these rights and please do not send messages to the authors regarding this issue; this is between you and your company.
Most acceptable policies follow a basic format which includes:
- Purpose: This is the definition of the AUP and why it is needed.
- Applicability: Who does this apply to; employees, contractors, students, guests, and others.
- Employee responsibility: It is the responsibility of the employee that uses a mobile device to follow the AUP and/or other corporate rules regarding the corporate networks and/or resources. Also, most AUPs will have rules requiring the employee to keep the device safe.
- Device impacts: What are the rules if the device is lost, stolen, or broken? Also many AUPs will include rules that prevent the end user from jailbreaking and/or installing any specific applications. Also there may be rules about software licenses. One big point that AUPs may include concerns what will occur if the device is infected with malware.
- Malware: A definition of viruses, worms, and spyware.
- Corporate rights: The AUP may define how the company reserves the right to limit and/or refuse the right of any end user to connect to the corporate network and/or resources.
- Device list: This is normally a list of devices that are supported by the company.
- Non-compliance: AUP will describe the impact to end users if the rules and/or AUP are not followed. Some rules may include having the device cleared (data is wiped off including e-mail and applications). The device may be locked off the system. The end user may be put on suspension and/or terminated.
This book provides a sample AUP in the appendix.
Power users
A power user is an interesting term; in general a power user is an expert user. This is the person that you would go to and say, "do you know how to do this?" In many cases a power user actually knows what they are doing, while others may guess and mess up your phone. Power users are the ones that install the cool applications and know how to quickly solve simple problems.
Bring Your Own Device is causing several issues with large companies as follows:
- End users call the help desk and will ask how to do simple things on their phones
- E-mail may need to be fixed and/or reconfigured on a device and/or smartphone
- End users may call the help desk and complain about the speed of the connection
Many corporate help desks will not help users on phone questions, for example:
- "How can I install the Angry Birds game?"
You may agree this is not normally a critical business request!
- But the corporation help desk may answer questions like:
"My e-mail was working, but now it is not working?"
The end user is getting frustrated and may say, "The help desk is no help; I need Angry Birds." The concept is really lost on most end users, BYOD really means "Bring YOUR OWN Device". The help desk with many companies will not help you install games or even your favorite Star Trek episode. The help desk will help you with business required applications and/or e-mails only.
So what does the end user do? They will ask, "Do you know how ….." This is the birth of the power user. We saw this with PCs and now with mobile devices.
The risk is, not all power users are the same. Here is our story:
Troy really wanted to get Angry Birds installed. So he went to Bob and said, "The help desk will not help me install any games." Bob tells Troy, "I am an expert, bring your device to me."
Bob gets Troy's iPhone and starts making changes. Bob, not being an expert with the iPhone, resets the device to factory mode, losing all of Troy's applications and e-mail. Now, Troy really needs help to get his e-mail and/or corporate expense system back on his device, and Troy still does not have any games.
The moral of this story is, "not all power users are powerful and/or knowledgeable; be careful!"
In the later chapters, we will tell you how to back up your device and how to protect it.
Power user tools
We introduced you to the concept of power users so that you can understand this next section. Most end users will never use these tools. This is an advanced section of this chapter, please be careful; you may end up with a dead device if you are not careful. There are several tools you can use to customize your mobile devices, including the following list of tools:
iPhone configuration tools
The iPhone configuration utility lets the end user create configuration files that can install specialized setup configurations to install applications and manage the device.
These configuration profiles are saved and transferred in a special format known as XML. XML (Extensible Markup Language) is a type of coding used for web access via a browser and other technologies. The use of XML and/or iPhone configurator is normally done by administrators and/or real power users.
Two basic terms will be used as a part of using the iPhone configurator, as follows:
- Payload
- Configuration file
A payload is a collection of a specific set of configurations that can be pushed into your iPhone. One example of this is a Virtual Private Network (VPN), which is used to connect to your corporate network via a special set of software and/or hardware.
The configuration profile normally includes several sets of payloads.
You need to tether (connect) your device to a PC in order to use this configuration.
The iPhone configurator is available at http://help.apple.com/iosdeployment-ipcu/win/1.1/.
Android configuration tools
The authors found several sets of tools that can potentially be used by power users and/or administrators. These tools are available at https://play.google.com/store. Some tools to consider are as follows:
- Configuration
- Simple tether configuration
- Simple router configuration
- Lookout
- Quick settings
Let's review these tools.
Configuration
Configuration is a basic application that will display and save the device configuration. This type of tool can be used by developers to determine what is running on the devices.
Simple tether configuration tool
The simple tether configuration tool was created to circumvent a bug in Samsung Galaxy's software that prevented it from remembering the configuration for a tether configuration.
Simple router configuration
This application is used to change and browse router settings on your network. This application will also scan your system to find your IP routers.
Lookout
Lookout offers essential protection against all the bad stuff that can happen to your phone or tablet, such as malware and viruses, loss, and theft. See the following screenshot for an example:
Quick settings
This application provides a quick review of your phone settings.
The hidden world (some advanced information)
Once you connect to your corporate network, you will be connected to a hidden world of network access and protection. Overall, most end users will not care about this world and/or the access connections. This book will show you some of the systems that you will be connecting to, once your phone opens your corporate network. This world is obfuscated from end users and hackers, by design. Each component is installed in order to protect the end user as well as the corporate network and corporate data. Let's review each of the following basic components:
- Firewall
- Reverse Proxy
- Mail Routing Server
- Mobile Device Management
- Application Servers
- Messaging Servers
Firewall: This is the basic frontend interface into the corporate network. Another term you may hear is DMZ. A DMZ (demilitarized zone) is a computer network inserted between the untrusted Internet and the corporate, trusted network, as a neutral zone between a company's private network and the Internet. The goal of the DMZ is to prevent unauthorized users from getting access to a corporate service.
Reverse Proxy: This is normally an extension of the Firewall and/or the DMZ. The reverse proxy will provide access to the corporate environment by a pass through a process that will hide the internal servers to the outside Internet world.
Mail Routing Server: This server provides a special access to mobile devices into the corporate mail servers. This is a specialized server that also provides the sync processes used to keep the server in sync with the mobile device.
Mobile Device Management: This is a set of tools, servers, and processes that are used to help manage end user mobile devices. A detailed description on administrative MDM is included in the appendix of this book.
Application Servers: These are the servers that a company will host their corporate applications on, for example, sales tracking and/or accounting tools for mobile devices.
Messaging Server: These are the servers that host a corporation's messaging e-mail system.
The preceding example shows the sample placements of these components. Keep in mind that these configurations are not published outside of the corporate administration teams in each company.