Deep Dive into ForeScout Part 4: Securing BYOD and MDM for Smartphones and Tablets in Enterprise

After previously discussing centralized endpoint management and control with ForeScout CounterACT, let's continue by exploring how ForeScout helps secure smartphones and tablets used by employees (BYOD) and devices provided by the organization (Corporate-owned), leveraging both BYOD and MDM (Mobile Device Management) capabilities.

What is BYOD?

BYOD (Bring Your Own Device) is the concept of allowing employees to bring personal devices into the workplace, such as notebooks, smartphones, and tablets. These devices offer high capabilities for work, communication, and data access, enabling employees to work from anywhere at any time. However, this also introduces significant security risks to organizations.

How Does ForeScout Support BYOD?

At the core of BYOD implementation is the ability of the network to recognize and classify devices connected to the system — distinguishing whether they are PCs, notebooks, smartphones, or tablets — and then enforcing security policies accordingly. These policies may include user registration, authentication, access control, log management, and detection and prevention of attacks originating from those devices. Many organizations choose to grant smartphones and tablets lower network access privileges compared to corporate-owned PCs and notebooks.

ForeScout supports BYOD with the following capabilities:

• Detect devices connected to the network in real time and classify operating systems such as Microsoft Windows, Linux, Unix, Apple iOS, Google Android, Blackberry, Nokia Symbian, and even Cisco IOS.
• Enforce security policies including authentication, access control, and deep inspection based on detected device type, device security posture, and network location.
• Classify devices according to ownership through authentication, white lists, MAC address assignment, and installed software inspection.
• Limit or block network access based on device classification and security levels according to defined security policies.
• Send notifications through HTTP pages for announcements or software deployment to endpoint devices.
• Provide registration portals that allow users to conveniently register for network access, while enabling non-IT personnel within the organization to approve guest access.
• Automatically detect and prevent worm and virus propagation or attacks from all connected devices without requiring endpoint software installation.

What is MDM (Mobile Device Management)?

MDM (Mobile Device Management) is an approach designed to centrally control mobile devices such as smartphones and tablets through software installation or device configuration. This includes enforcing passcodes, preventing jailbreaking, deploying or restricting mobile applications, encrypting devices, disabling certain hardware features, and even remotely wiping data if a device is lost. MDM is particularly suitable for organizations that provide corporate mobile devices to employees and need to secure highly sensitive data stored on those devices. This differs from BYOD environments, where devices are personally owned and users may not be comfortable installing management software.

ForeScout supports MDM with the following capabilities:

• Inspect hardware information such as vendor, model, OS version, installed applications, and serial number.
• Detect jailbroken iOS devices and rooted Android devices.
• Enforce password and passcode policies.
• Enforce encryption of stored data.
• Send announcements and alerts through push notifications.
• Install and update mobile device software remotely.
• Configure security policies and mobile device profiles.
• Lock devices or wipe all data, or selectively wipe only corporate data.
• Perform asset management by maintaining software and hardware inventories.
• Provide secure cloud file sharing services to users.
• Create enterprise app storefronts.
• Define voice roaming and data roaming policies.
• Configure wireless and VPN profiles.
• Apply policies and controls specifically when devices connect within the organization, while also supporting management of remote external connections.

Advantages of ForeScout Over Other BYOD and MDM Solutions

• Easy deployment without requiring major network modifications. Unlike many BYOD solutions that depend on 802.1X, SNMP, VLAN migration, or ARP spoofing, ForeScout simplifies deployment and increases implementation success rates.
• Unified management for both PCs and mobile devices within a single platform, unlike competitors that separate wired and wireless environments.
• Built-in detection and prevention of internal network threats, allowing ForeScout to enhance overall network security beyond simple device management.
• Flexible device classification customization, enabling administrators to fine-tune detection and policy enforcement according to their specific network environment.
• Real-time hardware and software inventory generation, simplifying management of both PCs and mobile devices while enabling centralized software deployment.
• Support for Virtual Desktop Infrastructure (VDI), allowing ForeScout to manage both physical and virtual endpoints alongside BYOD and MDM environments.

If you are interested in ForeScout solutions, please contact info@throughwave.co.th

or call +66 2-210-0969 to receive consultation directly from Throughwave Thailand Co., Ltd. You can also learn more about ForeScout solutions from the following datasheets:

ForeScout CounterACT – Automated Security Control / Next Generation Network Access Control (NAC + BYOD + IPS + PC Management)

ForeScout MDM – Mobile Management / Mobile Device Management / Mobile Security Management

Source: www.throughwave.co.th