Consumer mobile phones create a trail of breadcrumbs about the user which, in aggregate, can put government employees at risk. Mobile phones were built as data collection tools in the first place, making them ill-suited to supporting secure government work. It’s difficult to reliably disable the electronic signatures emitted by consumer mobile phones, further exposing the presence and identity of individuals working in government, military, and intelligence roles.
Existing solutions including Mobile Device Management (MDM) fail to solve many of these problems, whereas altOS addresses them all.
What MDM Can Do
With MDM, an organization can manage many device settings and increase security through steps such as enforcing identity management, password security, controlling what apps can be installed, and fencing off company data used on the device.
Unfortunately, MDM systems aren’t effective at providing all the security needed to protect the user. We’ll dive deeper into the specific limitations of MDM and the solutions altOS provides in comparison.
How altOS Functionally Differs from MDM
There is some degree of overlap between the capabilities of altOS and MDM, such as secure password requirements and limitations on apps that can be downloaded. altOS and MDM can be used in conjunction, but there are multiple, crucial distinctions. Before addressing what those different capabilities are, we’ll describe how altOS delivers the distinct functionality governments need, including protecting the user.
MDM systems can only use the APIs provided by the operating system, and it’s the operating system itself that can’t be trusted on commercial devices. In many cases, the OS itself is collecting and retransmitting information about the user location, user activity, applications, etc. MDMs are good solutions for managing enterprise devices, but they don’t have the capabilities needed to protect government workers.
altOS Was Developed For Government, MDM Was Not
altOS customers have higher privacy and security requirements that MDMs are incapable of meeting. MDMs are restricted to only the functionality the phone makers want you to have. For example, MDMs don’t enable users to turn off location tracking.
MDMs are developed using Apple and Android APIs which enable MDMs to manage about 150 capabilities within the phone. The altOS management console does not rely on the APIs provided by the phone maker. altOS replaces the consumer Android operating system with the proprietary altOS operating system. altOS doesn’t need to ask for permission through the allowed interface of the phone maker’s API. With altOS, you control the operating system and over-the-air updates, and have flexible control over devices and containers, applications, hardware attributes, authentication, security, and more.
altOS and MDM: Distinct But Compatible
We’ve been contrasting MDM and altOS, but organizations don’t have to choose between the two. The solutions are compatible, enabling you to achieve a synergistic combination. For example, some organizations use MDM to enforce policies on the use of corporate email, in conjunction with altOS to enable secure use of mobile devices in sensitive buildings.
Data Exhaust Controls
For government entities, managing mobile devices in the past meant securing only the data, but today it means protecting the user as well. Government employees on critical missions must maintain complete control over location services, modems, and sensors. Unfortunately, most user actions such as turning off Wi-Fi don’t actually eliminate the electronic trail left behind by consumer mobile phones.
But when altOS turns something off, it’s not a mere request to the device OS, which might choose to switch it on. With altOS, “Off Means Off.”
- MDMs don’t provide a way for organizations to control data exhaust from location tracking.
- While the MDM can toggle Bluetooth to “off,” the actual results are at the whim of the OS.
Prevent Compilation of Data to Expose Details About Operatives
Consumer phones create a trail of breadcrumbs about the user such as where they work, where they live, spending habits, and social activities. In turn, this can drive human intelligence on an industrial scale, revealing such insights that can provide foreign intelligence services with a very low risk way of identifying government employees that they can pressure to subvert and recruit them.
altOS is designed to prevent such activity from being correlated with users. With altOS, you can implement a variety of device controls, such as automated Android ad ID reset (to prevent user tracking), Google-free devices, and Google-free containers.
- MDMs lack these capabilities
Control Risks with Secure Mode, for Use in Secure Buildings
The unique altOS Secure Mode enables organizations to dynamically limit altOS device capabilities – particularly useful when devices are brought into secure or covert sites. Secure Mode is device-wide, enforced on all containers, and can be configured to selectively disable:
- Radio signals such as Bluetooth, Wi-Fi, GPS, and NFC
- Cellular network capabilities
- Camera and microphone/speaker
- USB data transfer
Because access is controlled by the altOS operating system, there’s no way for apps or users to work around the controls. Unlike MDM policies which can only set static controls on devices, altOS Secure Mode can be switched on and off as needed. Secure Mode enables altOS phones to be restricted on a geofenced basis. Once out of Secure Mode, users are able to access all the Android consumer-friendly functionality and apps your organization has permitted. This enables altOS devices to be multiple phones in one.
- MDM has no geofencing options
- MDM settings are fixed for the duration and can’t be altered temporarily
Multiple Managed Containers
With altOS, each device can have up to ten different containers. For example, a single device can have personal as well as multiple secret containers of varying levels of security, including confidential unclassified and mission-specific. Hidden containers prevent discovery of sensitive apps and data on a device during forensic analysis and physical inspection, such as at border checkpoints. By default, all containers are securely isolated from one another.
- No MDM systems enable more than two containers.
Control Over Updates
altOS includes an over-the-air (OTA) update server that each customer uses to control operating system updates to their phones. Unlike consumer platforms, no phone maker, wireless carrier, or app developer can come “over the top” and install an update on your phones.
CIS Mobile provides regular updates to customers that include Google’s Android security updates, as well as new features. These patches ensure altOS phones in the field are protected against the latest known vulnerabilities.
Fully Integrated Management, Including Personal Containers
With altOS, organizations have complete control over how devices behave. Unlike other mobile security solutions, altOS enables the organization to fully manage personal containers to reduce the risk of compromise while still respecting user privacy. Users can enjoy approved apps such as social media, and the administrator can still blacklist certain apps, such as TikTok, and block app installation from third party sources.
- MDMs don’t manage personal containers
To learn how CIS Mobile equips customers with a powerful and dynamic mobile platform management system read about altOS Enterprise Management.