Post on 10-Apr-2018
Windows 10
Mobile security
introduction
Access from anywhere using any device
Protect access to company resources
Confidential
Enforce enterprise security policies on phones
Manage
Easy management and deployment
BOOTKIT
Malicious
software
Data
leakage
Only trusted
pre-OS
firmware code
can executeWindows 10
Mobile OS allows
only trusted and
signed apps to run
The firmware only boots
a trusted Windows 10
Mobile OS image
Apps can only
access phone
features they
require
Device health can
be attested by a
remote server
Chain of trust
Device management
Access control
App security
Data protection
EAS policies
Provisioning packs +100 new policies
MDM
Device management
Access controlWindows Hello
Conditional access Client certificates
PIN
App securityStore checks
App containers App restrictions
Signed apps
Data protectionIRM and S/MIME
EDP VPN
Device encryption
Management lifecycle
Device configuration
Device deployment
App Management
Device operations
Device retirement
new policies
100+
Manage the mobile fleet
Secure
startup
Hardware only loads
unmodified Windows 10
Mobile OS
Modified OS
Not loaded
Loaded
Unmodified Windows
10 Mobile OS
User knows they are working
with genuine operating system
from Microsoft
Prevents attacks
Disabling of security controls
Malicious OS that looks like
Windows 10 Mobile
Not loaded
Other OS
ARM
One-time
writable info
Keys and
settings
Digitally
signed drivers
Chipset UEFI firmware Windows 10 Mobile OS
OS loader
OS
Digitally
signed
Chipset
Platform
key (PK)
Key
Exchange
keys (KEK)
Allowed signature DB
SignatureWindows
10 Mobile
OS loader
1 2 3 4 5Power key is
pressed
Chipset starts trusted
UEFI firmware
Verify OS loader
signature
Check that signature
is allowed
UEFI loads trusted
OS loader
OS loader loads
trusted OS
components
UEFI
Create a log of
the boot process
Boot data
Health Attestation
Service (HAS)
UEFI?
Health Attestation
Service (HAS)
UEFI?
Health Attestation
Service (HAS)
UEFI?
Health token
Azure AD
Microsoft Intune HAS
Authenticate and
access services
Access denied, prove
that you are healthy!
Azure AD
Microsoft Intune HAS
Provide health
and policy info
Azure AD
Microsoft Intune HAS
Verify
device health
Device is
healthy!
Azure AD
Microsoft Intune HAS
Conditional access policy
PIN configured
Encryption enabled
Enrolled to MDM
Device reported healthy
Azure AD
Microsoft Intune HAS
Update
compliance
state
Azure AD
Microsoft Intune HAS
Authenticate and
access services
Access granted
Use Mail and
Calendar
Secure
setup
EAS Client
Provisioning
Engine
MDM Client
Microsoft
Exchange
MDM
server
Windows Imaging and
Configuration Designer (ICD)
Provisioning
package
Minimum PIN length = 8
Alphanumeric PIN required = False
Minimum PIN length = 5
Alphanumeric PIN required = True
For security related
settings the most secure
policy wins
For non-security related
settings the last write
wins according to priority
MDM has higher priority than
provisioning packages
Minimum PIN length = 8
Alphanumeric PIN required = True
Microsoft
Exchange
MDM
server
Provisioning
package
Configuration
Service Providers
MDM
server
Push
policies
ActiveSync CSP
Policy CSP
ClientCertificateInstall CSP
RemoteWipe CSP
WiFi CSP
VPNv2 CSP
Configure company
email accounts
Configure company
Wi-Fi networks
Configure device lock policies
Manage client
certificates
Configure hardware restrictions
Remotely
wipe a device
Configure VPN profile for
accessing company intranet
Configure UI restrictions
Enable device encryption
AllowCamera
AllowBluetooth
AllowWiFi
AllowNFC
AllowLocation
AllowStorageCard
AllowUSBConnection
Policy
CSP
Hardware restrictions
Accounts
Microsoft
Azure AD
Skype for
Business
SharePoint Outlook.com
OneDrive
Xbox Live
Store
Exchange
AAD
account
Personal
account
Company AD
Microsoft cloudOn-premises
Microsoft Azure AD
Domain joined
computers
Cloud joined
computers
AD join AAD join AAD join
Cloud
joined
phones
Azure Active Directory
Directory
Sync Tool
Azure AD Premium
Microsoft Intune
Set up a
work
account
Azure AD Premium
Microsoft Intune
Automatic
enrollment
Set up a
work
account
Azure AD Premium
Push
policies
Microsoft Intune
Automatic
enrollment
Set up a
work
account
Azure AD Premium
Push
policies
Microsoft Intune
Automatic
enrollment
Set up a
work
account
First account configured to the
phone becomes the default
account
To change the default account the user
must reset the phone to factory settings
Can be a Microsoft account or a work or
school account
Default
account
Other
accounts
Microsoft
account
AAD
account
Other email
accounts
Deny adding Microsoft accounts to the device
Deny adding non-Microsoft email accounts
to the device
Deny user to change account configuration
Microsoft account
Default account
Possible other accounts
Option 1: default account is a Microsoft account
AAD account
Microsoft account
Other email accounts
Deny adding
Microsoft accounts
Deny adding non-
Microsoft email accounts
Microsoft account
Default account
Possible other accounts
Option 1: default account is a Microsoft account
AAD account
Microsoft account
Other email accounts
Deny adding
Microsoft accounts
Deny adding non-
Microsoft email accounts
Default account
Possible other accounts
AAD account
Microsoft account
Other email accounts
Option 2: default account is an AAD account Deny adding
Microsoft accounts
Deny adding non-
Microsoft email accounts
Default account
Possible other accounts
AAD account
Microsoft account
Other email accounts
Option 2: default account is an AAD account Deny adding
Microsoft accounts
Deny adding non-
Microsoft email accounts
Passwords
and Hello
Personal
Password theft
Stored on the server and known by
the user, server breach can lead to
loss of thousands of passwords
Usable from any device
Services and data can be accessed
from any device and location with
the same password
Pass
Pass
Pass
Lock screen password has
been replaced with the
PIN feature
Use PIN instead of password
for authentication
PIN is tied to the phone and cannot
be used from other devices
PIN is local to the phone and
not stored to an external server
Used as the lock
screen password
Authenticate Store
purchases
Personal PIN
Authenticate access
to managed apps
Work PIN
The phone can be wiped after
entering the lock screen PIN
wrong too many times
(managed by policy)
Only numerical PINs
can be used by default
Enterprise can enforce
alphanumerical PINs via policy
Policy
Only numerical PINs
can be used by default
Expiration
FALSE 1 - 730
UseCertificateForOnPremAuth
ENABLE DISABLE
UseBiometrics
ALLOWDON’T ALLOW
UsePassportForWork
TRUE FALSE
History
raspberry
strawberry
blueberry
0 1 - 50
raspberry
UppercaseLetters
LowercaseLetters
SpecialCharacters
Digits
REQUIRE AT LEAST ONE
ALLOWDON’T ALLOW
P277w6rd#
MinimumPINLength
MaximumPINLength
4 X
X 127
password
...
...
?
! !
Remote assistance
Wrong user
User authentication
based on a biometric
signature
Can be used instead of
a PIN to unlock phone
and authenticate to
apps and services
Wrong user
User authentication
based on a biometric
signature
Can be used instead of
a PIN to unlock phone
and authenticate to
apps and services
Correct user
User authentication
based on a biometric
signature
Can be used instead of
a PIN to unlock phone
and authenticate to
apps and services
Correct user
User authentication
based on a biometric
signature
Can be used instead of
a PIN to unlock phone
and authenticate to
apps and services
ScanningScanning
Supported authentication types
Facial recognitionIris scanningFingerprint recognition
Windows Hello requires special
hardware on the phone
Not supported by all phones
running Windows 10 Mobile
Hardware requirements
Windows Hello requires special
hardware on the phone
Not supported by all phones
running Windows 10 Mobile
Hardware requirements Iris sensor Iris LED
Microsoft Lumia 950 supports iris scanning
User
Pass
Certificate
Can be used instead of
password authentication
Certificate proves
user identity
Microsoft Edge
Wi-Fi
VPN
SSL Server Hello (server cert)
GET ylearning.sharepoint.com
SSL client response
Company
web server
CA=CA2
CN=tom@ylearning.net
EKU=Client
Authentication
(1.3.6.1.5.5.7.3.2) Tom Tom
MDM
server
server
Web
server
SCEP
server
attachment
Download from
a web server
Add, delete, and
query certificates
Configure enrollment
to a SCEP server
Enroll/renew
certificate
.cer
.p7b
.pem
.pfx
Supported
formats
Password
protection
Certificates app
can be used to
view installed
certificates
Email, Office
and Microsoft
Edge
Restrict actions for
emails and documents
Reply
Forward
Copy
View
Edit
Save Azure
Rights Management Services
Requires Azure RMS
Intended recipients
can only take
actions specifically
granted to them
Outlook Mail Office Mobile apps
Pictures
(with RMS Sharing app)
Permissions
Share
Share
Azure
Rights Management Services
Create a new rights
policy template
Configure the rights
for the template
Specify which users and
groups can use the template
1
2
3
Exchange
Online
Azure
Rights Management Services
RMS
sharing app
Apply IRM
on the client
Apply IRM
on the email
server
Exchange
Online
Condition
Action
Exception
If the condition is met,
the selected action will
be applied
Received message
is protected
Only works with
EAS accounts
Recipients can identity the sender
and verify message integrity
Requires a valid
personal S/MIME
certificate
Digitally sign messages
Encrypt outgoing messages
and attachments
Only the intended recipients
who have the correct
certificate can read them
Check URL against list
of unsafe web pages
Check URL in local
whitelist
Check result: Unsafe
Periodic anonymous
reporting
SmartScreen filter
No plug-ins are
supported
Isolated
container
Microsoft server
1
2
3
Allow/deny search suggestions
in address bar
Allow/deny SmartScreen
Configure home page
Configure favorites
Prevent SmartScreen Prompt
Override
Prevent SmartScreen Prompt
Override for files
Allow/deny BrowserAllow/deny Cookies
Allow/deny Do Not
Track headers
Allow/deny Password
Manager
App security
Camera
SD card
Sensors
Location
Microphone
Every app runs
inside its own
isolated container
Containers are isolated
from each other
Containers have access to
specific phone capabilities
Attack surface
reductionApp isolation
User consent
and control
SD
1 32
App container benefits
Download app
App
manifest
Windows Store
App +
Publish app
Developer specifies
required capabilities
in a manifest file
Manifest file used in
app certification process
User sees required
capabilities in app
details page in Store
Phone creates a new
container for the app
Access to only
the required
capabilities
Camera access:
Privacy control
User can dynamically control
apps access to these capabilities
from phone settings
Some capabilities can provide
access to sensitive or private
information
MDM / company
server
Apps can only be
installed from
Store by default
Windows Store
MDM / company
server
App sideloading or
developer mode must be
enabled to install LOB apps
Can be enabled manually from
settings or with a policy
Windows Store
Store control
Disable Store app completely
Only allow private Store
SD card control
Prevent apps from being
installed to the SD card
Prevent app data from being
installed to the SD card
App restrictions
App allow or deny lists
(based on app ID or publisher)
Disable developer mode
Disable automatic app updates
Updates
and wipe
All updates are
signed and
distributed by
Microsoft
All updates are
delivered over
the air (OTA)
Cellular
Wi-Fi
All updates are
delivered over
the air (OTA)
Cellular
Wi-Fi
User can schedule when the
update is installed, but cannot
opt out from the updates
User can schedule when the
update is installed, but cannot
opt out from the updates
Enterprise admins can monitor
the software versions in their
mobile fleet using MDM
STOP
Enterprises can control and postpone
software updates for Windows 10
Mobile Enterprise version
Cannot postpone software updates
Install up to 20 self-signed LOB apps on a phone
Telemetry data gathering cannot be disabled
Postpone and curate software updates
No limit on the number of self-signed LOB apps that can be installed
Disable telemetry data gathering
Reset using
hardware keysReset from phone settings
User
Reset with the
Windows Device
Recovery Tool
User
Reset from
Windowsphone.com
User
Reset from Office 365
/ Exchange Online
User
Reset with Exchange /
Office 365 admin tools
Reset with Intune /
3rd party MDM server
Reset with SCCM
Manual device reset
can be prevented
with a policy
Admin
Wipe phone?
Yes No
User
* n-1
unlock
wipe
Wrong PIN
Automatic reset after entering
wrong PIN too many times
(managed by policy)
SD card contents
can also be erased
with device wipe
Persistent
storage
Non-persistent
storage
SD card contents
can also be erased
with device wipe
Installed
provisioning
packages can
be retained and
re-applied after
the wipe has
been completed
Persistent
storage
Non-persistent
storage
SD card contents
can also be erased
with device wipe
Installed
provisioning
packages can
be retained and
re-applied after
the wipe has
been completed
Phone
encryption
and VPNs
Encryption/
decryption
Bitlocker technology
No PIN for
encryption
SD card contents
cannot be encrypted
Keys protected by
platform security
Mass memory contents
not readable outside
the OS
AES-CBC 128Enterprise can configure
the encryption method and
cipher strength via MDM
SD
card
Apps USB MTP
Storage
Decrypted content
shown on a computer
Device encryption
Exchange
MDM
Provisioning
package
Policy
CSP
EAS
RequireDeviceEncryption
RequireDeviceEncryption
Management systems
cannot be used to
disable encryption
Can be enabled and
disabled also by the user
Enabling device encryption
Virtual Private Network (VPN)
Intranet
servers
Company
network
Encrypted VPN tunnel
IPsec (IKEv2)
L2TP
PTPP
SSL-VPN (vendor-specific app)
Internet
VPN server/
firewall
Username/password
Smart card
One-time password
client certificate
Internet
VPN
server/
firewall
Other traffic
Open tunnel when
traffic to domain /
IP range
Company
network
Open tunnel when
specific apps are
launched
Destination
10.2.2.0/24
10.5.3.73
Split tunneling
VPN is always on and
cannot be disconnected
Filter list of apps and
subnets can determine what
traffic can go over the tunnel
All other traffic
is dropped
VPN
server/
firewall
Company
network
InternetVPN lockdown
Destination
10.2.2.0/24
10.5.3.73
Enterprise Data
Protection (EDP)
Enroll phone to MDM
Provision EDP policies
and encryption keys
EDP is still in development. Not
all features are yet available and
features may still be modified!
Microsoft Intune
List of protected apps that are
trusted to handle enterprise data
Protected apps
Enterprise network locations
these apps can access
Enterprise network locations
What happens when users
try to move data outside the
protected apps
EDP protection level
Enterprise
network
location
Enterprise IP ranges
Enterprise domains
Enterprise
network
location
Enterprise
network
location
Protected appsPersonal apps Prevent
access
Allow
access
Enterprise
network
location
Protected
app
Personal
appRestrict cut, copy,
and paste with
personal apps
Paste
Prevent saving
to Dropbox
Protected
app
Save
Save
Allow saving to
OneDrive for Business
OneDrive
for Business
Dropbox
Block
”Action blocked! This data cannot
be copied to this destination”
Ok
Override
”Action requires confirmation!
This action will be logged.”
Paste anyway Cancel
Silent (create a log in
the background)
Protected app
Don’t touch personal emails in Outlook Mail
Personal account
Protect work emails in Outlook Mail
Enterprise account
Wipe corporate data from devices
while leaving personal data alone
UnenrollDocuments
Remove encryption keys and
wipe inaccessible enterprise
data
Microsoft
Intune