Lock down off: disable other profile action

Lock down off: disable other profile action

Hello all,

I have mobicontrol on version: 133.0.3454

Our client is Zebra TC75X and the version of client mobcontrol is on version : 13.6 build 1476

 

I have two profiles:

- one contains a lock down and setting for soti surf (url)

- other contain all for black list application

 

Together all works fine :)

 

But imagine this scenario , if user find the lockdown password -> lock down is off 

With this, I've notice that after several seconds,  I see that the application that are black list in the second profile appear ...

 

Why ? 

The second profile is always enable ..

 

Thanks

4 Answers

Order By:   Standard | Newest | Votes
Raymond, Chan | posted this 26 February 2019

What is a lockdown password that user can use to turn off lockdown?   Please tell me where in MobiControl you set such password?

 

Can you start any blacklisted application during the few seconds when the lockdown is off?

 

 

  • 0
  • 0
christopheBERNARD | posted this 27 February 2019

Hello Raymond,

the authentification password, when you add a lock down into a profile, you need to add a authentification option who set a password.

 

when you add the lock down, you receive this message :

the policies lockdown require an authentification policy, please ensure one is installed on the devices in this or another profile

 

My use case is : user find the password -> ok if password is secure (letter , number, character special, upper letter, max length ..)

it's pretty hard to find it ...

 

But imagine, user find password and lock down is off,  user normally should see only application who is white listed

But after 10 or perhaps 20 seconds I see application who are hidden by my second profile who are become visible  ...

 

No, I do not start any black list application during the lock down off ...

 

here is it the step.

a) install profile who constains only black list operation locate into application run control

in this profile, I have also some option in feature control with disable installation from unknow source and disable removal of mobicontrol agent

 

when this first profile is well installed I assign the second profile

b) this profile contains (soti surf setting, lock down, and authentification that's all.

 

c) touch device for to have the password form show, enter password -> lock down off -> application not visible become visible

 

I don't know if it's situation is normal or not ..

For me, when I remove the lock down my app who is black list should be stay invisible ...

 

thanks for your time

 

 

  • 0
  • 0
Raymond, Chan | posted this 27 February 2019

It's very creative of you to think of the password you mentioned as a kiosk password.  Unfortunately, it is NOT!! 

 

The administrator password in the authentication profile payload is actually the MDM administrator password which is used to force the device into administrator mode.  Once in this mode, you can assume that VIRTUALLY ALL of the MDM policies already deployed (feature-control, application-run-control, firewall, lockdown menu, ..., etc) are temporarily turned off.  In the worst cases, the device agent itself can be uninstalled, or many parameters pre-set in Device Settings can be silently modified to violate corporate security policy and create loopholes before the device is returned to MDM user-mode.  Thus, this MDM administrator password should be properly managed (e.g. partitioning based on location/company organizational structure, esp for implementations with thousands of devices and different MDM administration teams), and updated remotely frequently, or whenever there is suspicion that the password has been leaked/compromised. 

 

Also, due to the potential security risks when compromised,  MDM administrators should NOT forget to explicitly force the device back to user-mode after working with a device in administrator mode in the field, and should NOT rely on automatic exit of administrator mode on inactivity time-out or device boot.  From my experiences, such automatic exit mechanisms might occasionally fail due to software bugs or other unknown causes.

 

In earlier versions (v11 and earlier) before profile support was added, all other policies are not configurable (grayed out and not selectable) from the web-console for a device until an administrator password has been configured.   With v12 and later versions, it becomes more difficult to enforce this in the GUI.  However, the requirements of having a unique non-conflicting (i.e. no two or more different administrator passwords defined in multiple profiles) administrator password still hold to guarantee normal operations of the device agent.  So, please don't forget to deploy an administrator password even if a device does not use lockdown menu, and please don't assume the password is a lockdown-menu password and abuse its use in the field for insignificant tasks on deployed devices.

 

The main uses of this administration password include:

1. Temporarily changing various Settings parameters or other options when tuning the set of MDM policies of a new work-place device brand/model to be deployed, or when making policy/settings exceptions (possibly looser security policies or some intentional loopholes) for VIP user. 

2. Last-line of defense to regain control of a recalled/disconnected device if erroneous MDM policies deployed cause day-to-day or remote management operations not possible.

etc.

 

  • 0
  • 0
christopheBERNARD | posted this 28 February 2019

Hello raymond,

thanks for the long explanation.

I thought the password set in the profile was for the lock down ..

 

thanks for all

  • 0
  • 0
Give us your feedback
Give us your feedback
Feedback