LanceSeboe
Contributor
Contributor

Workspace ONE UEM SaaS environment, Best Practices for Law Enforcement User and Device set up. Anyone have any resources?

We have a Workspace ONE UEM SaaS environment in a local government setting. I am looking for Best Practices documentation or information for Law Enforcement User and Device set up. How do you use Restriction Profiles? Email profiles? Geofencing? Containerization? ETC,? How do you handle managed devices being used for collection of evidence? How do you handle any evidence that they might collect?
Labels (1)
6 Replies
DiegoRamirezDie
Contributor
Contributor

Hi Lance,

I don't have links to Best Practices but one recommendation I always make (was given to me as well), ' Keep your payloads separate' . At most I might place two payloads into a profile, but it can get tricky fast as the version numbers for profiles increase as soon as you make an edit & save. Although you might have a 1:1 profile/payload setup under Profiles, it can make management easy since you'll exactly what specific item you are working with. I'd be glad to hear anyone else's recommendation as well. This is just my current practice.
AbrahamSanchez
Contributor
Contributor

Hi Lance, I can only tell you how we deal with some of the same concerns.  We are running  Workspace ONE UEM Saas as well in rather large health care setting.  Your request is broad, but perhaps I can provide a little in site on how we lock down and manage our MDM solution.  I just responded to an earlier post from a user that offered some disturbing comments on how liberal they are with user access and apps.  So here is how we manage MDM.  On profiles, we created roles to ensure users don't have the ability to change or create profiles.  We see profiles the same and Group Policy and we only allows certain admins to create or edit profiles.  Every build is documented, and with respect to security, we provide our security team with the base build of every project to ensure all settings are appropriately locked down.    Whenever any of the policies change in an build it gets documented.  Also, it maybe worth taking sometime to think about how you plan on developing your structure around existing policy.  We had to come up with good policy to ensure users are aware of what they can and can't do.  WorkSpace ONE is huge with many moving parts, so there is a lot to consider.  We have corporate owned devices, and BYOD devices.  We also have corporate owned devices that users are allowed to use as personal, but we restrict the user from downloading personal apps on a corporate device same for music.    Phones are immediately wiped if not seen for over 30 days, or reported missing.  We don't use Geo fencing because if you think about it, what happens if a device is stolen and the sim is removed or turned off. We are more concerned with protecting the data and not so much the device it self.  Also, not so sure if upper management would appreciate tracking of their location.  When it comes to corporate owned phones we also have a tech review process for each build, to make sure it falls inline with protecting PHI.  Last thing you want is to have an employee ask to have Words with Friends on a corporate owe phone that presents a security risk.  You may want to look into intelligence for WorkSpace and see if there are additional benefits you may want to leverage.   There is much to consider with your structure, and from what I see out there, many organizations managed their MDM solution like they manage their personal iPad or Android. We are also DEP, so that adds another layer to the security concerns we have.  Rather Geo fence we setup profiles to only allow the device to connect to certain Wifi.   The device can't even be used at home if removed from location.  We are also AD integrated, and restrict  access to apps by AD groups as well.  Where admins seem to miss the mark in my personal opinion is focusing on builds and not structure, policy and documentation.  We also have asset recovery, but that's more for devices that are not being used in the organization that someone has stored in their cabinet.  We are very concerned here with PHI, so we disable things like screen shots, Bluetooth, certain wifi, and require exception approval that has a specific use case. We build out exceptions for those and control with AD security groups.  I can go on forever.  We really spent a lot of time trying to get this right.  So far so good.  It took a while for users to understand this is not your home iPad or Android device.  We also lock down what you can and can't do with email like attachments.  Hope this helps or starts the conversation on how to build out a reliable MDM solution.  finally internal workflows we have in place for things like Kiosk, and clinical device that require 24 hour turn around time.  All purchases are managed via our purchasing department, to keep track of assets, recovery, and hardware consistency.  Again, much to consider.  I hope the info was helpful in anyway.  Feel free to share your experience as you move forward.  -Abe                                                      
chengtmskcc
Expert
Expert

Hi Lance, not sure which state/county/city you are affiliated with. I live in New York City and serve as an auxiliary police officer. Our full-time officers are given an iPhone provisioned with AirWatch, and I looked at one briefly and had a general idea of how it's configured. Are you looking to do the same for your officers?
0 Kudos
chengtmskcc
Expert
Expert

Abe, thanks for sharing your setup with us. Depending on Lance's level, this may or may not be overwhelming.

Below is my comment and I welcome your feedback in return.

On profiles, we created roles to ensure users don't have the ability to change or create profiles. We see profiles the same and Group Policy and we only allows certain admins to create or edit profiles. – good security practice!

Every build is documented, and with respect to security, we provide our security team with the base build of every project to ensure all settings are appropriately locked down. Whenever any of the policies change in an build it gets documented.  – good documentation goes a long way.

Also, it maybe worth taking sometime to think about how you plan on developing your structure around existing policy. We had to come up with good policy to ensure users are aware of what they can and can't do. WorkSpace ONE is huge with many moving parts, so there is a lot to consider. We have corporate owned devices, and BYOD devices. We also have corporate owned devices that users are allowed to use as personal, but we restrict the user from downloading personal apps on a corporate device same for music. – We have the same use cases except we do allow downloading personal apps. Or worse, we are not (and we should) limit manual profile install as users are installing beta OS on devices that may contain PHI!

Phones are immediately wiped if not seen for over 30 days, or reported missing. – How do you account for folks on long vacation/sabbatical? We do remove profiles including email after 30 days as well.

We don't use Geo fencing because if you think about it, what happens if a device is stolen and the sim is removed or turned off. We are more concerned with protecting the data and not so much the device it self. Also, not so sure if upper management would appreciate tracking of their location. When it comes to corporate owned phones we also have a tech review process for each build, to make sure it falls inline with protecting PHI. – I totally agree with that. As long as your data is secured, the phone can be easily replaced.

Last thing you want is to have an employee ask to have Words with Friends on a corporate owe phone that presents a security risk. You may want to look into intelligence for WorkSpace and see if there are additional benefits you may want to leverage. – How do you like Intelligence and what’s your normal use case?

There is much to consider with your structure, and from what I see out there, many organizations managed their MDM solution like they manage their personal iPad or Android. We are also DEP, so that adds another layer to the security concerns we have. Rather Geo fence we setup profiles to only allow the device to connect to certain Wifi. The device can't even be used at home if removed from location. – We have the same setup for devices that require specific WiFi to access in-house resources.

We are also AD integrated, and restrict access to apps by AD groups as well. – This is truly best practice but may vary from one environment to another.

Where admins seem to miss the mark in my personal opinion is focusing on builds and not structure, policy and documentation. We also have asset recovery, but that's more for devices that are not being used in the organization that someone has stored in their cabinet. We are very concerned here with PHI, so we disable things like screen shots, Bluetooth, certain wifi, and require exception approval that has a specific use case. We build out exceptions for those and control with AD security groups. I can go on forever. We really spent a lot of time trying to get this right. So far so good. It took a while for users to understand this is not your home iPad or Android device. We also lock down what you can and can't do with email like attachments. – I suppose you utilize Secure Email Gateway to restrict email attachment? And do you use VMware Content as well?
0 Kudos
AbrahamSanchez
Contributor
Contributor

How do you account for folks on long vacation/sabbatical? We do remove profiles including email after 30 days as well. We encourage users to keep their  device stored and plugged. Some have docking standings so the device is either left behind or the device remains in the user possession. - On profiles, yes only one payload is recommended on noted so on VMWare docs.  -We have the same use cases except we do allow downloading personal apps. Or worse, we are not (and we should) limit manual profile install as users are installing beta OS on devices that may contain PHI! - Thomas, I have nothing for that one, ha!  Dangerous practice there.  – How do you like Intelligence and what’s your normal use case? We are still evaluating.  Definitely has benefit, but like everything else comes with a cost. -On content locker, we are working on that along with file shares.  We like what we are seeing, but more testing is needed.  -On the AD integration, I know many companies have not jumped on board and are still creating basic users.  However, my understanding is that those accounts are not automatically removed when a user is termed.  With basic user accounts you have to remove manually.  We started with basic but it was not long before we realized it was not such a great idea.  Sounds like we have taken very sim steps in security and structure.  Great conversation.   Apps are the one think we have decided to rein in  Can't have PHI text being passed to a app where info is stored on some kids basement server. There are licensing issues, audits, security risk, all associated with apps.  Even some of the app licensing agreements state ' by approving you are agreeing to network scan, access to phone and address content.'   Exactly what every NYC PD wants.  Great feedback.  
LanceSeboe
Contributor
Contributor

Hi Guys,
First, thank you for your responses. You are right my question is too broad. Let's try this, when setting up a Restrictions Profile for Law Enforcement devices what sort of settings do you allow (or disallow)? What other things do you allow or disallow on the device?