Approved Application Lists...

Russinating · 27 Jan 2022 at 10:28

Don't know if this is the right place, may be better in Windows but who knows!

We're going through Cyber Essentials at work, all fine apart from the Approved Application List for BYODs. The actual requirement is:

(B) Where you use an app-store or application signing, do you ensure that users only install applications that have been approved by your organisation and do you document this list of approved applications? You must create a list of approved applications and ensure users only install these applications on their devices. This includes employee-owned devices. You may use mobile device management (MDM) software to meet this requirement but you are not required to use MDM software if you can meet the requirements using good policy, processes and training of staff.

Now aside from directors we're a team of 8, so tiny and personally I think the fact that we've sailed all the other questions is hugely positive compared to some of my colleague's horror stories of prior companies (passwords stuck on post its or in a shared .txt file etc).

But everyone here needs to use a mobile device for work as the majority aren't always office-based. And everyone wants to use their own phone rather than having two devices. Obviously from a business perspective we also want that too, as individual phones and contracts will be incredibly (and unnecessarily) costly.

But this approved application list is something I don't know how we can work with. We're too small to implement an MDM which would be totally overkill. And being so small there's confidentiality issues with asking people to request apps that aren't on a list; what if someone's in a relationship but requests to install a dating app, or has a healthcare tracker, or does OnlyFans on the side or whatever.

Equally the requirement is only for me to approve them, and I wouldn't really know how to judge the safety of an app beyond the obvious (CryptoHaxDailyLolz with 8 downloads).

Now to my question/TLDR: is there a list available of the most popular apps from both Android and iOS to populate a list of approved apps? Say the top 1000 (or more!) by # of downloads? To cover all those obvious ones like Tinder etc and then any that aren't on the list can be submitted/requested/added to confidentially.

LeoK · 3 Feb 2022 at 09:29

Hello, it sounds a bit of a pickle.

I’ve looked after two solutions in previous roles for companies that have CE+. Mostly MobileIron but I’ve touched other systems

I wonder for CE if you could simply say you use a manual process. E.g. you issue company iPhones. You manually configure each phone before issuing to staff; install allowed apps; block access to store. You manually check and update the IOS / apps on each phone with 14 days of a new release. It still leaves the grey area of lost devices / needing to securely wipe data remotely although you might be able to argue it with strong password etc.

There are some free solutions too but I’ve not used them. For example ManageEngine is free for 25 devices

sorry I cannot be more help

Terminal_Boy · 3 Feb 2022 at 09:50

You want to control want apps are running on devices owned by employees? Why?

LeoK · 3 Feb 2022 at 11:13

Terminal_Boy said:
You want to control want apps are running on devices owned by employees? Why?

It can be a requirement to get certain levels of certification. The certificate then proves to clients that you are responsible with their data. It helps gain business, insurance costs, etc.

Some reasonable examples could be keeping work data; documents, emails etc., on a phone. The data itself might be sensitive personal data; medical records; legal case work, etc. A CE certificate means, assuming good faith, you manage the data on the phone. The phone itself is managed (or the workspace if using MAM - mobile application management ) and you can remotely lock, wipe, delete access etc., if certain rules are hit - eg not keeping the phone updated. It also helps if you get a work phone back (someone leaving) and user doesn’t provide the pin, you can reset it

Another option is to create a safe secured space on personal phones where the data is kept (MAM). Only certain apps can access into the space. The apps might have extra security to use / access them. When someone leaves, you only delete the workspace.

The general idea is if a phone is lost, malware, hacked, etc., there is a barrier to make it harder to get the data

LeoK · 3 Feb 2022 at 11:25

Sorry I forgot to mention there is also the grey areas. E.g. work contacts. I’ve never found a good answer as to who actually own contact information when someone leaves a firm. There is no clear answer on this. It could be argued, in certain cases, if using MAM, you could own and delete certain contacts, texts, etc too when someone leaves

Terminal_Boy · 3 Feb 2022 at 12:12

Good luck with that.

stoofa · 3 Feb 2022 at 13:46

We have a mixture of Company owned phones and some users on BYOD - we don't attempt to restrict what a user can do on their own phone, just force a security policy that says the user must have an 8-digit or more alphanumeric password.
We use Airwatch to deploy our systems - so company owned Android phones are enrolled and heavily restricted - they use the Play Store for apps, but the only see the apps we have approved.
BYOD Android & Apple devices effectively have a "Container" installed on them which runs an app called "Boxer" - this is where they collect their corporate email, access contacts lists etc. We can remotely wipe that container, we cannot remotely access any other part of the user's own device.

Airwatch can have a number of different profiles - so for example we have corporate mobiles, corporate Android tablets, Corporate iPads, BYOD Android, BYOD Apple.

If users enrolled a BYOD fully into our Airwatch system we could restrict what they can do - but realistically, unless you're getting users to sign contracts effectively saying "So that nice mobile you've purchased with your own money - we will completely govern what you can & cannot do with it" I don't see how you can force that on people.

Russinating · 3 Feb 2022 at 14:16

Thanks all, I've actually solved the issue now by utilising Google Workspace's built-in MDM functions, which we already use, which is sufficient to be compliant with CE.

LeoK · 3 Feb 2022 at 17:22

That's great news. I was worried for you about the overhead for just managing a few devices. I guess the only thing to point out if using MDM, and these BYOD, you have to tread carefully about how you unenrol a device. Deal with lost phones, etc.

I clearly remember the case where a partner lost their iPad. Swore blindly it's stolen. Told to wipe it. So I nuked from orbit; it's the only way to be sure

A day later, they got it back. It was in the back of a taxi. "Can I restore the data?" I am sure you can imagine my answer.