Jump to content
Sign in to follow this  
Master_Scythe

'Droid: Imaging\Enterprise Managment

Recommended Posts

So, a lil help if you'd be so kind my friends!

My place of employment is looking to distribute Android Tablets to Rural Queensland.

 

So first, is there an imaging or ninite style installer for Android tabs?

That first one is a simple question, there must be some way to mass deploy tablets.

 

We're looking for a security solution that will let us:

Lock down the tablets. (no settings menu, except certain things, like wifi)

Manage them from a web portal. (wipe, reset passwords, etc)

and NOT lock us out of the device, if the user tries to set passwords and such. (google accounts are not the best, they're TOO secure, we want a self managed web portal if possible, or just a more friendly Cloud Management portal)

 

Ideally, we'd like to be able to 'push' apps to the devices, disable the play store (at least, from a user level), and such like that.

I think a few antivirus vendors may offer this?

 

I'm just finding it really hard to search for this information and a lot more of it is from 2012~2015, so there could easily be a lot more out there I don't know about.

Can you guys suggest any sort of remote management on Android?

 

The upper management doesn't want to go the iPad route, because in Rural locations, while all of them are steal-able, there's a prestige to i-devices, that make them much more theft friendly.....

 

Thanks guys!

Share this post


Link to post
Share on other sites

I don't think Android is real good in that regard. Sure, with the popular and high end devices you get the hacker community making all sorts of customizations and flashable images but such things aren't officially supported and can break at moment's notice.

You can hide apps but I think they need to be disabled first. But even with apps hidden there's workarounds - check out a really cool app called "Activity Launcher", I use it to access control settings that aren't within the normal menu structure.

I guess if you disable Play Store and stuff like dev mode and installing untrusted apps, that takes it some of the way to Kiosk Mode.

Pushing apps to the devices - I guess there should be some automation sw around that can do that. Of course you'd need to be able to cope with things like running low on storage.

 

The phone makers (or some) seem to have a system that updates their bloatware seperately from the normal ecosystem so it has to be possible. But of course they're the ones who've customized the OS for their devices.

Another avenue to explore might be 3rd party launchers like Nova but the weakness of launchers is that they're really just a skin and usually easy to get around and in some cases occasionally crashes and dumps you back in the default UI.

Share this post


Link to post
Share on other sites

I can do all the security with parental mode if need be, I'd just then need to know how to image it, and have a cenral mangment engine.

 

There HAS to be one.

Share this post


Link to post
Share on other sites
Posted (edited)

Have looked at G-Suite?

 

https://support.google.com/a/answer/1734200?hl=en

 

You can use Google Mobile Management to manage, secure, and monitor mobile devices in your organization. You can manage a range of devices, including phones, tablets, and smartwatches. People in your organization can use their personal devices for work (BYOD), or you can give them company-owned devices to use.

There are 2 levels of mobile management—basic and advanced. Each level of management gives you a different set of features. Some advanced features, such as mobile auditing and rules aren’t available in all editions

 

(It's not free but anyway)

Edited by Jeruselem

Share this post


Link to post
Share on other sites

Have looked at G-Suite?

 

https://support.google.com/a/answer/1734200?hl=en

 

You can use Google Mobile Management to manage, secure, and monitor mobile devices in your organization. You can manage a range of devices, including phones, tablets, and smartwatches. People in your organization can use their personal devices for work (BYOD), or you can give them company-owned devices to use.

There are 2 levels of mobile management—basic and advanced. Each level of management gives you a different set of features. Some advanced features, such as mobile auditing and rules aren’t available in all editions

 

(It's not free but anyway)

 

So long as there's a free trial so I can value prove it to the organisation, that'll be fine.

 

Will that same tool allow me to apply 'profiles'\configs to new devices?

Share this post


Link to post
Share on other sites

 

Have looked at G-Suite?

 

https://support.google.com/a/answer/1734200?hl=en

 

You can use Google Mobile Management to manage, secure, and monitor mobile devices in your organization. You can manage a range of devices, including phones, tablets, and smartwatches. People in your organization can use their personal devices for work (BYOD), or you can give them company-owned devices to use.

There are 2 levels of mobile management—basic and advanced. Each level of management gives you a different set of features. Some advanced features, such as mobile auditing and rules aren’t available in all editions

 

(It's not free but anyway)

 

So long as there's a free trial so I can value prove it to the organisation, that'll be fine.

 

Will that same tool allow me to apply 'profiles'\configs to new devices?

 

 

I don't know, but there's a free trial so you can find out I guess.

Share this post


Link to post
Share on other sites

I don't know if this helps, but my personal phone can be wiped by my works tech department through email. They use a Microsoft exchange which in order for me to use it, I must give them access. They can in theory change my passwords/security settings, turn the device off, see failed authentication attempts etc.

Share this post


Link to post
Share on other sites

I don't know if this helps, but my personal phone can be wiped by my works tech department through email. They use a Microsoft exchange which in order for me to use it, I must give them access. They can in theory change my passwords/security settings, turn the device off, see failed authentication attempts etc.

 

Thanks for that :)

That is actually a point, and one I'll keep in mind.

 

Catch would be that a factory reset would get past that; however it might be suitable for 'in OS' management... hmm

Share this post


Link to post
Share on other sites

I imagine there's the usual trojan horse inserted by the tech department on the phone for that to happen.

Share this post


Link to post
Share on other sites

You seem to be looking for an enterprise-level endpoint security solution. These tend to roll device management and anti-malware/firewall/etc into one and can generally be controlled through a web console. They do cost money, but they often have trial periods and I wouldn't trust a free one anyway (free ones probably steal your megahurts).

 

Some non-Google suggestions (by no means an exhaustive list):

Sophos Endpoint Security:

https://www.sophos.com/en-us/products/endpoint-antivirus.aspx

 

Palo Alto GlobalProtect:

https://www.paloaltonetworks.com/products/globalprotect/subscription.html

 

Micro Focus Connected MX Endpoint Protection:

https://software.microfocus.com/en-us/products/endpoint-backup-protection/overview

 

Symantec Endpoint Protection Cloud:

https://www.symantec.com/products/endpoint-protection-cloud

 

BitDefender Security for Mobile:

https://www.bitdefender.com/business/mobile-security.html?irgwc=1&clickid=yKbXoWRE0QiuVZ:xNAV7j3iwUkjQT3XLTVK9wM0&MPid=13013&cid=aff|c|IR

 

The above are just a few examples of the products that are out there. Other security product vendors have similar offerings, but my suggestions are as follows:

- Do a Google or DuckDuckGo search for 'Android Endpoint security' if you want a longer list. Beware of the ads from third parties offering products that they do not own, as these could be pirate/spyware/botnet-central offerings.

- If your organisation has anything to do with Government, the not-for-profit sector (which often gets funding from and does things for Government) or confidential business info/IP, avoid products from places like China, Russia, the Middle East or really anywhere that is not a member of the Five Eyes, the EU, Japan or South Korea. For example, whilst by all accounts, Kaspersky is a great AV product, it does scan files and send data back to Russia. This would be a problem for any government agency, given Russia's reputation regarding hacking and the control their intelligence services exercise over Russian companies. To put it bluntly, ASIO would likely have a fit (and with good reason) if they found out that an Aussie Govt agency, fund recipient or contractor was using a product that essentially gives full control over user devices to a company based in the territory of a potential adversary. If your organisation falls into these categories, it is best to pick a product from the US, UK, Canada or Australia.

- In any event, check with your company's security team before spending time investigating a solution to make sure you aren't wasting time on something that would be banned.

- Read through the product specs to see what they do and pick ones that purport to do what you want to test.

- Get the free trial (or request one) to find the one most suitable for your needs and that offers the best features, performance, stability, etc.

- When evaluating anti-malware products remember that: (a) the best ones pretty much behave like a virus. They are persistent and hook into the device at a low level. You want this as it makes it harder for the unwanted rootkits to hook in. (b) Signature-based malware detection is ancient history. It sucks compared to behaviour-based detection, or even better a combination of both. The ones I have posted above use Cloud-based protection, meaning that their signatures are updated in real-time from threat sharing between security vendors. This is better than just relying on local signatures. Some (e.g. Sophos) also use behaviour-based protection, which blocks dodgy program behaviour like attempted buffer overflows and code injection into other processes. Behaviour-based protection is still not perfect (nothing is 100% unhackable), but it protects against many zero-days as most follow certain behaviours to get arbitrary code execution.

 

Good luck! :-)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×