The sub-techniques beta is now live! Read the release blog post for more info.

Enterprise Policy

An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.

ID: M1012
Version: 1.0
Created: 25 October 2017
Last Modified: 17 October 2018

Techniques Addressed by Mitigation

Domain ID Name Description
Mobile T1453 Abuse Accessibility Features

An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to whitelist applications that are allowed to use Android's accessibility features.

Mobile T1517 Access Notifications

On Android devices with a managed work profile (enterprise managed portion of the device), the DevicePolicyManager.setPermittedCrossProfileNotificationListeners method can be used to manage the list of applications (including setting it to an empty list) running within the primary user (personal side of the device) that can see notifications occurring within the managed profile. However, this policy only affects notifications generated within the managed profile, not by the rest of the device. The DevicePolicyManager.setApplicationHidden method can be used to disable unwanted applications that are accessing notifications, but using this method would block that entire application from running.

Mobile T1476 Deliver Malicious App via Other Means

On iOS, the allowEnterpriseAppTrust and allowEnterpriseAppTrustModification configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys.

Mobile T1458 Exploit via Charging Station or PC

Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).

Mobile T1417 Input Capture

When using Samsung Knox, third-party keyboards must be whitelisted in order to be available to the end-user.[2]

Mobile T1516 Input Injection

An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to whitelist applications that are allowed to use Android's accessibility features.

Mobile T1411 Input Prompt

An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to whitelist applications that are allowed to use Android's accessibility features.

Mobile T1461 Lockscreen Bypass

Enterprises can provision policies to mobile devices to require a minimum complexity (length, etc.) for the device passcode. Enterprises can provision policies to mobile devices to cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. If desired, enterprises can provision policies to mobile devices to disallow biometric authentication. However, biometric authentication can help make "using a longer, more complex passcode far more practical because you don't need to enter it as frequently."[1]

Mobile T1465 Rogue Wi-Fi Access Points

Enterprise policies could be provisioned to devices to control the Wi-Fi access points that they are allowed to connect to.

Mobile T1513 Screen Capture

Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibliityServices method to whitelist applications that are allowed to use Android's accessibility features.

References