ASD's Blueprint for Secure Cloud

Enterprise mobility

Applicability

ISM controls relating to enterprise mobility are applicable to <SYSTEM-NAME> and are covered by this section of the SSP as the system includes the use of corporate mobile devices, but does not permit personal devices to connect to <SYSTEM-NAME> or its resources.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

Use of <SYSTEM-NAME> by <ORGANISATION-NAME>’s staff and contractors is in accordance with the <SYSTEM-NAME> Mobile Device Usage Policy, which requires that all system access is performed via corporately issued devices, and that these devices are used solely for corporate use.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Technical controls for <SYSTEM-NAME>’s implementation of enterprise mobility are configured with reference to ASD’s Blueprint for Secure Cloud, and includes the following technical configurations:

• conditional access policies are set to prevent non corporately-issued devices from connecting to <SYSTEM-NAME> or its resources
• application control is configured on corporately issued mobile devices to provide some restriction of personal use on these devices
• corporately issued devices connect to the internet through <ORGANISATION-NAME>’s <VPN-SYSTEM> when connecting remotely, and do so with split tunnelling disabled
• corporately issued devices connect to the internet through <ORGANISATION-NAME>’s <GATEWAY-SYSTEM>, which also restricts web categories associated with personal use on these devices.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Mobile device management

Applicability

ISM controls relating to the management of mobile devices are applicable to <SYSTEM-NAME> and are covered by this section of the SSP as the system includes the configuration and hardening of corporately owned and issued Apple iPhones.

While considered to be mobile devices in other contexts, this section of the SSP does not apply to the management of Windows laptops.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational policies and processes implemented

The management of corporately owned and issued mobile devices for <SYSTEM-NAME> is implemented through the use of Microsoft Intune, and is governed by <ORGANISATION-NAME>’s Mobile Device Management Policy. This policy requires appropriate selection of mobile operating systems and use of mobile device management solutions to be from those that have completed appropriate Common Criteria Protection Profiles.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Technical controls for <SYSTEM-NAME>’s implementation of mobile device management are configured with reference to ASD’s Blueprint for Secure Cloud.

<SYSTEM-NAME> uses Microsoft Intune as its Mobile Device Management (MDM) solution. While Intune has not completed the relevant protection profile assessment, <ORGANISATION-NAME> considers that as Microsoft has commenced the assessment process for Intune and has completed an IRAP assessment of Microsoft 365 services including Intune, associated risks are mitigated. <ORGANISATION-NAME> has reviewed this IRAP assessment together with the commenced protection profile assessment.

<SYSTEM-NAME> requires use of the latest version of iOS, which is currently iOS 17. The most recent version of iOS to have completed the relevant protection profile assessment is iOS 16. However, <ORGANISATION-NAME> considers that while the protection profile assessment is not of the implemented operating system (iOS 17), the recency of the assessment of iOS 16 (OS version N-1) mitigates associated risks.

iOS devices are configured to:

• operate in Supervised Mode
• be remotely wipeable using Intune
• operate with a secure lock screen
• apply the latest security patches released by Apple
• restrict iOS users from installing applications from the App Store on iOS
• restrict iOS users from disabling or modifying security functionality once provisioned.

Mobile device encryption is also inherently enabled for iOS devices’ internal storage.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Mobile device usage

Applicability

ISM controls relating to mobile devices, including Windows laptops and iOS devices, are applicable to <SYSTEM-NAME> and are covered by this section of the SSP.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Organisational Policies and Processes Implemented

Management of <SYSTEM-NAME> mobile devices and their peripherals is in accordance with the <ORGANISATION-NAME>’s <SYSTEM-NAME> Mobile Device Usage Policy.

Use of <SYSTEM-NAME> mobile devices and their peripherals is in accordance with the <ORGANISATION-NAME>’s <SYSTEM-NAME> Mobile Device Usage Policy.

Procedures related to overseas travel by <SYSTEM-NAME> users are outlined in the Overseas Travel SOP.

<SYSTEM-NAME>’s Mobile Device Emergency Sanitisation Standard Operating Procedure provides advice on the remote sanitisation of mobile devices.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Technical controls implemented

Technical controls for <SYSTEM-NAME>’s implementation of mobile device usage were configured with reference to ASD’s Blueprint for Secure Cloud, and implements the following technical configurations:

• Windows Defender for Endpoint is configured to restrict allowed peripherals to an approved list
• iOS is configured to restrict allowed peripherals to an approved list.

<INSERT ADDITIONAL INFORMATION AS APPROPRIATE>

Related information

Security & Governance

• <SYSTEM-NAME> Mobile Device Usage Policy
• <SYSTEM-NAME> Mobile Device Management Policy
• Overseas Travel SOP
• Mobile Device Emergency Sanitisation Standard Operating Procedure

Design

• Conditional Access
• Securing iOS devices
• Endpoint Management

Configuration

• Microsoft Intune - Devices
• Microsoft Entra ID - Devices
• iOS and iPadOS
• Endpoint Security

External documentation

• ASD’s Guidelines for Enterprise Mobility
• ASD’s Blueprint for Secure Cloud