Mobile Security Program FAQ

 

L&E Research's mobile security program exists to protect company and client data.  This is done by installing a program on mobile devices called Google Device Policy.  This program allows the company to control access to work data, as well as enforce basic security measures on the device.  Additionally, the company is able to remotely wipe the work profile from enrolled devices, or with your consent, the entire device (for example, should your device be stolen).


First, a disclaimer:

This program does not allow the company to "spy" on you.  There is no functionality whatsoever for the program to access personal data, files, pictures, your screen or camera.  The only access which exists relates to work data and programs, and only to the extent of managing work-related programs, work data, and work profiles.


You are of course free to refuse to enroll in this program, in which case your work account will not be accessible on your device except through web browsers.  If you decline to enroll in this program, access to Google services, including Email, Docs, and Drive on your mobile device through other programs will not be allowed.


The following policies are enforced on enrolled devices:

  1. All enrolled devices must have a screen lock with a basic password (even the "swipe-type").
  2. Sharing of data between work and personal apps is disallowed.
  3. On Android: taking screenshots of work applications is disabled.
  4. On Android: devices which do not sync in 7 days have the work profile removed automatically.
  5. On Android: copying and pasting data between work and personal apps is disallowed.


No other policies are enforced on enrolled devices.  Whenever available, the option has been taken to be as unintrusive as possible and to enforce as few rules as feasible while still maintaining security.


There are some basic aspects of this program:

  1. In order to facilitate management of enrolled devices, the company is able to see some data on enrolled devices: the model, serial number, ID, phone number, carrier, operating system, build number and kernel version, baseband version, MAC address, and language.
  2. The company is able to enforce the following settings and perform the following actions: enforce settings and per-application restrictions, create/access/delete data in the work profile, install/remove applications and certificates, list applications accessing the work profile, remotely wipe work profile data, remotely wipe the device, restrict sharing from the work profile, black screen capture in the work profile, and view statistics and monitor network activity and location data for work profile apps.  Note that the ability to do something does not indicate that this ability is exercised, only that such ability exists.
  3. Due to platform differences between Android and Apple devices, enforced policies or settings may differ, however the two will be kept in accord as best as possible.

  4. Any changes to device policy will be notified to all staff in a timely manner whenever possible.


Again, to reiterate: this does not give the company access to any data or files on your mobile device except that which is specifically stated above.


For an explanation of how the program works, you may consult this knowledgebase article; though specific to iOS devices the concepts are largely applicable to Android as well.  The article for Android devices is available here.


Additionally, you may see exactly what aspects of the policy are enforced and what information is shared by following the instructions here for iOS or by selecting "Policies" from the Google Device Policy app on Android devices.


In the interest of transparency, below are screenshots of the dashboard interface for the program showing exactly how little access the company has:


As you can see, only five options are available: Block (blocks the device from syncing to the company), wipe device (wipes the entire device), wipe account (wipes the work profile only), delete (deletes the device entry from the dashboard), and view details (explained below).


The "view details" page is as follows


And finally, below the device details are a list of applications which have access to work profile data:


As you can see, not even system functions (external storage, wallpaper, photos, phone & message storage, etc.) have access to the work profile, and vice versa.


On iOS devices, only the work profile applications are listed:


If you have any further questions about this program, please email the helpdesk.