Closing the MDM Backdoor
Posted on September 26, 2013 by
Many organizations are moving to Mobile Device Management or MDM solutions to manage and control their mobile devices. The proliferation of Android and Apple devices has almost made this a necessity.
One of the primary controls with an MDM solution is to prevent mobile devices from connecting to company email unless the device is both managed and compliant with company policy. Almost every MDM vendor accomplishes this by using a gateway. In order for mobile devices to get email, they must first pass through an MDM gateway that checks to see if (1) the device is managed by the MDM solution and (2) if he device is compliant with company policy. If it fails either of those tests, it is prevented from retrieving email.
However, there is an issue. All of the gateways used by MDM vendors only monitor and control the Active Sync protocol. They do not monitor or control the Outlook Anywhere (RPC over HTTPS) or Outlook Web Access (OWA) protocols. Modern mobile devices are smart enough to try multiple protocols to connect to email if one of them fails. So, in certain email domain configurations, a device would still be able to retrieve email even though MDM was preventing an Active Sync connection. (more…)