Creation date: 19.5.2017
Author: System4u, s.r.o.
Enterprise Mobility Report 4/2017
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
2
Content Content ................................................................................................................................. 2
Introduction ........................................................................................................................... 4
Summary ............................................................................................................................... 4
iOS .................................................................................................................................... 4
Android .............................................................................................................................. 4
Blackberry ......................................................................................................................... 5
Windows Phone ................................................................................................................ 6
Mobility report details ............................................................................................................ 7
iOS .................................................................................................................................... 7
Vulnerability ................................................................................................................... 7
About the security content of iOS 10.3.1 ..................................................................... 7
Apple Updates iOS to Patch Wi-Fi Vulnerability .......................................................... 7
Apple Warns Some Users iOS 10.3 May Have Re-Enabled Some Services ............... 8
Last Version: 10.3.2 ....................................................................................................... 8
Android .............................................................................................................................. 9
Vulnerability ................................................................................................................... 9
Broadcom WiFi vulnerability allows remote code execution, affects almost all Android
devices ....................................................................................................................... 9
N-day Nvidia, Android driver security flaw details revealed ......................................... 9
Trend Micro discovers vulnerability in Android debugger "Debuggerd" ......................10
Millions of Android Devices Vulnerable to Network Scan Attack ................................11
Android Security Bulletin April 2017: What you need to know ....................................12
Last Version 7.1.2 ........................................................................................................14
Blackberry ........................................................................................................................15
Vulnerability ..................................................................................................................15
Blackberry powered by Android Security Bulletin – April 2017 ...................................15
BlackBerry is the first non-Google OEM to push April security patch .........................19
Interesting Articles ........................................................................................................19
Blackberry is getting a huge refund from Qualcomm after a royalty dispute ...............19
Windows Phone ...............................................................................................................20
Vulnerability ..................................................................................................................20
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
3
Windows 10 Mobile build 14393.1066 still doesn't fix vulnerability that exposes your
photos ........................................................................................................................20
Interesting Articles ........................................................................................................21
Only a subset of Windows Phones will get Windows 10 Creators Update ..................21
Windows 10 Mobile security guide .............................................................................22
MDM ....................................................................................................................................23
MobileIron ........................................................................................................................23
MobileIron Core 9.3.0.2 ................................................................................................23
MobileIron Sentry 9.0.2 .................................................................................................29
Last Version .................................................................................................................32
Airwatch ...........................................................................................................................33
VMware Airwatch 9.1 ....................................................................................................33
Last Version .................................................................................................................33
What is the Difference between MDM, EMM and UEM? ...................................................34
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
4
Introduction This is the full version of System4u's Enterprise Mobility report, issued for our customers and subscribers. You can find here not only the news about security of iOS, Android, BlackBerry and Windows Phone operating systems, but also interesting articles and links from the enterprise mobility world. We cover also EMM solution MobileIron and Airwatch in this report, others EMM solutions will come in the future.
Summary
iOS Apple iOS 10.3.1 is available for iPhone 5 or later, 4th generation iPad or later and 6th
generation iPod touch or later. The update fixes WiFi vulnerability which allowed an
attacker within range to execute arbitrary code. The update also addresses a stack
buffer overflow through improved input validation. Apple's support page notes that this
update offers fix to Project Zero vulnerabilities cited by Gal Beniamini documented
under CVE-2017-6975.
Apple has sent out emails to some iOS users, informing them that the recent update to
iOS 10.3 may have enabled some on-device services after they were initially disabled
by the user. Bug in iOS 10.3 may lead to some iCloud services being re-enabled after
they were initially disabled by the user. The email suggests users should go into
Settings and check to see if any of those services they turned off have been turned
back on.
Android Google is out with its April 2017 Android security update, patching 102 different
vulnerabilities in the mobile operating system. Of the vulnerabilities patched by Google
this month, only 15 are rated as having critical impact. Not surprisingly, the media sever
component is once again being patched by Google. The Android media sever has been
patched in every Android security update issued by Google since August 2015. In the
new April update, media server accounts for 15 flaws in total, including six rated as
critical, five as high and four with only moderate impact.
A researcher from Google's Project Zero security team has revealed an exploit for
Broadcom WiFi chips that can allow an attacker to execute code on your device.
According to the exhaustive Project Zero analysis, Broadcom is missing some very
basic security measures including stack cookies, safe unlinking, and access permission
protection. Broadcom chipsets have a memory protection unit, but Beniamini found it
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
5
ineffective at preventing the attack. Broadcom says its next generation of chips will
have more advanced protections.
Zimperium zLabs researchers published a blog post detailing the security flaws, two
escalation of privilege bugs found within the NVIDIA Video driver and MSM Thermal
driver. The Nvidia bug, CVE-2016-2435, impacts Android 6.0 on the Nexus 9 handset.
The problem arises when attackers craft an application to tamper with read/write
memory values and force privilege escalation. The second security flaw, CVE-2016-
2411, involves a Qualcomm power management kernel driver, the MSM Thermal
driver, in Android version 6. If an attacker crafts a malicious application, they can give
themselves root access through an internal bug in the driver, leading to privilege
escalation.
Trend Micro has found a new vulnerability that exists in phones running Android
IceCream Sandwich to Lollipop. The vulnerability in the debugging program of Android,
Debuggered, allows a hacker to view the device’s memory and the data stored on it.
You can create a special ELF (Executable and Linkable Format) file to crash the
debugger and then you can view the dumps and log files of content stored on the
memory. The glitch in itself is not a big threat but the type of data it can give a hacker
access to can lead to a difficult situation. Google is said to be working on a fix in the
next version of Android for this.
Researchers have recently discovered hundreds of vulnerable apps on Google Play
Store which are allowing hackers to inject them with malicious code which, upon
downloading, steal all data from an infected Android device. The problem, according to
the researchers is that some of the apps are creating open ports on smartphones,
which is not a new problem since the same issue was faced by computers but it is
something new when it comes to smartphone technology. A team from the University
of Michigan has tried to use a custom tool for scanning more than 24,000 applications,
and 410 of them were found to be flawed. At least one of those apps has been
downloaded so many times that there are potentially millions of Android devices which
are vulnerable.
Blackberry While companies like Samsung, LG, Huawei or Motorola are pushing March security
updates to its Android smartphones, BlackBerry has already started to roll out April
security patch. Considering the update has just been made available by Google for its
Nexus and Pixel devices, alongside Android 7.1.2 Nougat, it looks like a great
achievement on BlackBerry’s part. Besides starting to push the update to its
smartphones, BlackBerry published the Android Security Bulletin that contains all the
vulnerabilities fixed in this update. Apparently, there are quite a lot of security issues
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
6
that have been addressed in this patch. Keep in mind that the update is rolled out OTA,
so if you own the BlackBerry PRIV, DTEK50 or DTEK60 smartphones, then you should
be notified when April security patch becomes available for download.
Qualcomm has to return nearly $815 million to BlackBerry for royalties the Canadian
smartphone maker overpaid between 2010 and 2015.
Windows Phone A handful of existing Windows Phone devices from Microsoft and other manufacturers
will get the Windows 10 Creators Update before the end of April. Here's what's on the
current list.
o Alcatel IDOL 4S
o Alcatel OneTouch Fierce XL
o HP Elite x3
o Lenovo Softbank 503LV
o MCJ Madosma Q601
o Microsoft Lumia 550
o Microsoft Lumia 640/640XL
o Microsoft Lumia 650
o Microsoft Lumia 950/950 XL
o Trinity NuAns Neo
o VAIO VPB051
Back in February, a security vulnerability was discovered in Windows 10 Mobile that
leaves your photos exposed to anyone that picks up your phone. With the device
locked, all you have to do is take a picture, delete it, press back, tap the thumbnail of
the image, press back again, tap the thumbnail again, and then press back and tap the
thumbnail one more time. With that simple process, you get access to the owner's full
camera roll.¨The issue still hasn't been fixed in build 14393.1066. Since this
vulnerability was discovered, it hasn't been able to replicate in preview builds of the
Creators Update.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
7
Mobility report details
iOS
Vulnerability
About the security content of iOS 10.3.1
Site: support.apple.com
Released April 3, 2017
Wi-Fi
Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation
and later
Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip
Description: A stack buffer overflow was addressed through improved input validation.
CVE-2017-6975: Gal Beniamini of Google Project Zero
Apple Updates iOS to Patch Wi-Fi Vulnerability
Site: www.securityweek.com
Apple has released an emergency security update for its iOS operating system to address a
serious vulnerability affecting the Wi-Fi component.
According to the tech giant, the flaw is a stack-based buffer overflow that allows an attacker
who is within range to execute arbitrary code on the Wi-Fi chip.
The security hole, tracked as CVE-2017-6975, has been addressed with the release of iOS
10.3.1 through improved input validation, Apple said. The update is available for iPhone 5 and
later, iPod touch 6th generation and later, and iPad 4th generation and later.
iOS 10.3.1 was released just one week after Apple announced the general availability of iOS
10.3, which brings many new features and patches for nearly 90 vulnerabilities. Roughly 30 of
these security holes were reported to Apple by Google Project Zero researchers.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
8
Apple Warns Some Users iOS 10.3 May Have Re-Enabled Some Services
Site: www.iphonehacks.com
Apple has sent out emails to some iOS users, informing them that the recent update to iOS
10.3 may have enabled some on-device services after they were initially disabled by the user.
As first reported by MacRumors, Apple has sent out emails to some iOS users, signaling that
a bug in iOS 10.3 may lead to some iCloud services being re-enabled after they were initially
disabled by the user. The email suggests users should go into Settings and check to see if any
of those services they turned off have been turned back on.
Unfortunately the email doesn’t explicitly say any one specific service that might be reactivated,
but the report does say that one user had iCloud Mail deactivated, and iOS 10.3 reactivated it:
“We discovered a bug in the recent iOS 10.3 software update that impacted a small number of
iCloud users. This may have inadvertently reenabled some iCloud services that you had
previously disabled on your device. We suggest you go to iCloud settings on your iOS device
to make sure that only the services you’d like to use are enabled. Learn more about how to
manage your iCloud settings or contact AppleCare with any questions. The iCloud team”
iOS 10.3 was launched on March 27, and Apple released iOS 10.3.1 one week after.
Last Version: 10.3.2
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
9
Android
Vulnerability
Broadcom WiFi vulnerability allows remote code execution, affects almost all
Android devices
Site: www.androidpolice.com
A researcher from Google's Project Zero security team has revealed an exploit for Broadcom
WiFi chips that can allow an attacker to execute code on your device.
Gal Beniamini from Project Zero developed a method of feeding a device WiFi frames with
irregular values. This causes a stack overflow in the Broadcom firmware, and that provides an
opening to run arbitrary code on the device. The proof of concept doesn't do anything major
(and it requires the attacker to know a targeted device's MAC address), but Beniamini was
able to write values to a specific memory address. That suggests a properly motivated
individual or group could use this to hack a device.
According to the exhaustive Project Zero analysis, Broadcom is missing some very basic
security measures including stack cookies, safe unlinking, and access permission protection.
Broadcom chipsets have a memory protection unit, but Beniamini found it ineffective at
preventing the attack. Broadcom says its next generation of chips will have more advanced
protections.
This doesn't only affect Android. Apple released a patch for this vulnerability in its most recent
iOS update. On Android, it'll take a while to get devices updated. This vulnerability was fixed
in the April security patch, so there are some Android devices protected. Not very many,
though.
https://googleprojectzero.blogspot.cz/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
N-day Nvidia, Android driver security flaw details revealed
Site: www.zdenet.com
The technical details of security vulnerabilities impacting the Nvidia Video and an Android
driver have been revealed by Zimperium, which acquired the flaws as part of an exploit
acquisition program.
Zimperium zLabs researchers published a blog post detailing the security flaws, two escalation
of privilege bugs found within the NVIDIA Video driver and MSM Thermal driver.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
10
The Nvidia bug, CVE-2016-2435, impacts Android 6.0 on the Nexus 9 handset. The problem
arises when attackers craft an application to tamper with read/write memory values and force
privilege escalation.
The second security flaw, CVE-2016-2411, involves a Qualcomm power management kernel
driver, the MSM Thermal driver, in Android version 6. If an attacker crafts a malicious
application, they can give themselves root access through an internal bug in the driver, leading
to privilege escalation.
These bugs are well documented, known, and for the most part security updates have been
issued. However, Zimperium says that making the technical details available of these so-called
"N-day" flaws is important and can act as a catalyst to boost the speed of patch production and
to iron out problems arriving between a patch being created and vendors distributing the
update in good time.
The technical details of the N-day exploits have been previously shared through Zimperium's
Handset Alliance (ZHA), which includes Samsung, Softbank, Telstra, and BlackBerry.
Trend Micro discovers vulnerability in Android debugger "Debuggerd"
Site: techalert.pk
Trend Micro has found a new vulnerability that exists in phones running Android IceCream
Sandwich to Lollipop.
The vulnerability in the debugging program of Android, Debuggered, allows a hacker to view
the device’s memory and the data stored on it.
You can create a special ELF (Executable and Linkable Format) file to crash the debugger and
then you can view the dumps and log files of content stored on the memory.
The glitch in itself is not a big threat but the type of data it can give a hacker access to can lead
to a difficult situation.
Google is said to be working on a fix in the next version of Android for this.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
11
Millions of Android Devices Vulnerable to Network Scan Attack
Site: www.hackread.com
Researchers have recently discovered hundreds of vulnerable apps on Google Play Store
which are allowing hackers to inject them with malicious code which, upon downloading, steal
all data from an infected Android device.
The problem, according to the researchers is that some of the apps are creating open ports on
smartphones, which is not a new problem since the same issue was faced by computers but
it is something new when it comes to smartphone technology.
A team from the University of Michigan has tried to use a custom tool for scanning more than
24,000 applications, and 410 of them were found to be flawed. At least one of those apps has
been downloaded so many times that there are potentially millions of Android devices which
are vulnerable.
Researchers also stated: – “These newly discovered exploits can lead to a large number of
severe security and privacy breaches. For example, remotely stealing sensitive data such as
contacts, photos, and even security credentials and performing malicious actions such as
executing arbitrary code and installing malware remotely.”
The biggest problem lies with the apps that are used for file transfer between smartphones
and computers via WiFi. The flawed security is allowing more than just the devices’ owner to
access the transfer and the devices themselves. Furthermore, apps which allow services like
WiFi File Transfer, are estimated to have been downloaded between 10 and 50 million times.
When the Michigan team decided to scan the campus network to determine how many devices
can be found in this flaw; after only 2 minutes they were able to discover a number of vulnerable
devices.
“To get an initial estimate on the impact of these vulnerabilities in the wild, we performed a port
scanning in our campus network, and immediately found a number of mobile devices in 2
minutes which were potentially using these vulnerable apps,” according to the team.
Moreover, it was found that 57 of the 410 apps are truly vulnerable and they have even
demonstrated how the attacks work by explaining that the “app opens ports by default and no
client authentication or incoming connection notifications are engaged, which put the device
user in severe danger.”
Basically, the apps are leaving open doors for any malicious code and not many of those would
miss such an invitation. Google is yet to comment on the current situation. So far, the only way
to fix this problem would be to uninstall these apps and this should not be difficult. However,
this is something that should be fixed ASAP to avoid further problems.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
12
Android Security Bulletin April 2017: What you need to know
Site: www.techrepublic.com
The April 2017 Android Security Bulletin turned out to be yet another month with the platform
once again topping its previous number of critical flaws. Get the highlights.
Once again, the Android platform has been found to contain more critical vulnerabilities than
the previous month. In March, there were eight total critical issues and now, for April, there are
a chart-topping nine. Let's take a look at those critical flaws that are detailed in the April 2017
Android Security bulletin.
Check your security release
Before we highlight what's included with the April 2017 Android Security Bulletin, it's always
good to know what security release is installed on your device.
Let's take a look at those critical vulnerabilities affecting the Android platform.
Critical issues
Remote code execution vulnerability in Mediaserver
Critical issue remains for the oft-plagued Mediaserver. Once again we have a remote code
execution vulnerability within the Mediaserver that could enable an attacker, using a specially-
crafted file, to cause memory corruption during media file and data processing. Because of the
possibility of remote code execution, this issue has been rated as critical.
Related bugs:
A-33641588, A-33864300, A-33966031, A-34031018, A-33934721, A-34097866
Remote code execution vulnerability in Broadcom Wi-Fi firmware
Another remote code execution vulnerability has been found, this time in the Broadcom Wi-Fi
firmware. This issue could enable a remote attacker to execute arbitrary code within the context
of the Wi-Fi System on a Chip (SoC). Because of the possibility of remote code execution,
within the context of the Wi-Fi SoC, this issue has been rated as critical.
Related bug: A-34199105
NOTE: The patch for the above vulnerability is not publicly available and can be found within
the latest binary drivers for Nexus devices from the Google Developer site.
Remote code execution vulnerability in Qualcomm crypto engine driver
The Qualcomm crytpo engine driver has been found to contain a remote code execution
vulnerability that could enable a remote attacker to execute arbitrary code within the context
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
13
of the kernel. Because of the possibility of remote code execution (within the context of the
kernel) this issue has been rated as critical.
Related bugs: A-34389927, QC-CR#1091408
Remote code execution vulnerability in kernel networking subsystem
A remote code execution vulnerability was located within the kernel networking subsystem
which could enable a remote attacker to execute arbitrary code within the kernel. This bug
does not affect upstream kernels, so any kernel not labeled as upstream could be affected.
Because of the possibility of remote code execution, this vulnerability has been rated as critical.
Related bugs: A-32813456, Upstream kernel
Elevation of privilege vulnerability in MediaTek touchscreen driver
The MediaTek touchscreen driver has been found to contain an elevation of privilege
vulnerability that could enable a local malicious application to execute arbitrary code within the
kernel. Because of the possibility of device compromise (which could require reflashing the
operating system to repair the device), this issue has been rated as critical.
Related Bugs: A-30202425, M-ALPS02898189
NOTE: The patch for the A-30202425 bug is not publicly available and can be found within the
latest binary drivers for Nexus devices from the Google Developer site.
Elevation of privilege vulnerability in HTC touchscreen driver
Another bug in a different touchscreen driver (this time in HTC devices) has been found to
contain an elevation of privilege vulnerability that could enable a local malicious application to
execute arbitrary code within the the kernel. Because of the possibility of device compromise
(which could require reflashing the operating system to repair the device), this issue has been
rated as critical.
Related bug: A-32089409NOTE: The patch for the A-32089409 bug is not publicly available
and can be found within the latest binary drivers for Nexus devices from the Google Developer
site.
Elevation of privilege vulnerability in kernel ION subsystem
A bug from the previous month has shown itself again. The ION Memory Allocator has been
found to contain an elevation of privilege vulnerability. This kernel vulnerability could enable a
local malicious application to execute arbitrary, malicious code within the context of the kernel.
Because of the possibility of permanent device compromise (which could require the reflashing
of the operating system), this flaw has been marked as critical.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
14
Related bug: A-34276203NOTE: The patch for the A-34276203 bug is not publicly available
and can be found within the latest binary drivers for Nexus devices from the Google Developer
site.
Vulnerabilities in Qualcomm components
Two critical vulnerabilities have been found to affect Qualcomm components. These bugs are
addressed, in detail, in the Qualcomm AMSS October 2016 security bulletin.
Related bugs: A-31628601, A-35358527
NOTE: The patch for both the A-31628601 and the A-35358527 bugs is not publicly available
and can be found within the latest binary drivers for Nexus devices from the Google Developer
site.
Upgrade and update
The developers will work diligently to patch the vulnerabilities, but it is up to the end users to
ensure the fixes find their way to devices. Make sure you not only check for updates, but that
you apply them as soon as they are available. To see the full listing of vulnerabilities (which
includes a number of high and moderate issues), check out the April 2017 Android Security
Bulletin.
Last Version 7.1.2
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
15
Blackberry
Vulnerability
Blackberry powered by Android Security Bulletin – April 2017
Site: support.blackberry.com
BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry
powered by Android smartphones. We recommend users update to the latest available
software build.
Vulnerabilities Fixed in this Update
Summary Description CVE
Remote code execution vulnerability in Mediaserver
A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing.
CVE-2017-0538 CVE-2017-0539 CVE-2017-0540 CVE-2017-0541 CVE-2017-0542 CVE-2017-0543
Elevation of privilege vulnerability in CameraBase
An elevation of privilege vulnerability in CameraBase could enable a local malicious application to execute arbitrary code.
CVE-2017-0544
Elevation of privilege vulnerability in Audioserver
An elevation of privilege vulnerability in Audioserver could enable a local malicious application to execute arbitrary code within the context of a privileged process
CVE-2017-0545
Elevation of privilege vulnerability in SurfaceFlinger
An elevation of privilege vulnerability in SurfaceFlinger could enable a local malicious application to execute arbitrary code within the context of a privileged process.
CVE-2017-0546
Information disclosure vulnerability in Mediaserver
An information disclosure vulnerability in Mediaserver could enable a local malicious application to access data outside of its permission levels.
CVE-2017-0547
Denial of service vulnerability in Mediaserver
A remote denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot.
CVE-2017-0549 CVE-2017-0550 CVE-2017-0551 CVE-2017-0552
Elevation of privilege vulnerability in libnl
An elevation of privilege vulnerability in libnl could enable a local malicious application to execute arbitrary code within the context of the Wi-Fi service.
CVE-2017-0553
Elevation of privilege vulnerability in Telephony
An elevation of privilege vulnerability in the Telephony component could enable a local
CVE-2017-0554
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
16
malicious application to access capabilities outside of its permission levels.
Information disclosure vulnerability in Mediaserver
An information disclosure vulnerability in Mediaserver could enable a local malicious application to access data outside of its permission levels.
CVE-2017-0555 CVE-2017-0556 CVE-2017-0557 CVE-2017-0558
Information disclosure vulnerability in libskia
An information disclosure vulnerability in libskia could enable a local malicious application to access data outside of its permission levels.
CVE-2017-0559
Information disclosure vulnerability in Factory Reset
An information disclosure vulnerability in the factory reset process could enable a local malicious attacker to access data from the previous owner.
CVE-2017-0560
Remote code execution vulnerability in Broadcom Wi-Fi firmware
A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC.
CVE-2017-0561
Remote code execution vulnerability in Qualcomm crypto engine driver
A remote code execution vulnerability in the Qualcomm crypto engine driver could enable a remote attacker to execute arbitrary code within the context of the kernel.
CVE-2016-10230
Remote code execution vulnerability in kernel networking subsystem
A remote code execution vulnerability in the kernel networking subsystem could enable a remote attacker to execute arbitrary code within the context of the kernel.
CVE-2016-10229
Elevation of privilege vulnerability in kernel ION subsystem
An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel.
CVE-2017-0564
Vulnerabilities in Qualcomm components
Multiple vulnerabilities in Qualcomm components
CVE-2016-10237 CVE-2016-10238 CVE-2016-10239
Remote code execution vulnerability in Freetype
A remote code execution vulnerability in Freetype could enable a local malicious application to load a specially crafted font to cause memory corruption in an unprivileged process
CVE-2016-10244
Elevation of privilege vulnerability in kernel sound subsystem
An elevation of privilege vulnerability in the kernel sound subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel.
CVE-2014-4656
Elevation of privilege vulnerability in Broadcom Wi-Fi driver
An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local
CVE-2017-0567 CVE-2017-0568 CVE-2017-0569
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
17
malicious application to execute arbitrary code within the context of the kernel.
CVE-2017-0570 CVE-2017-0571 CVE-2017-0572 CVE-2017-0573 CVE-2017-0574
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver
An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.
CVE-2017-0575
Elevation of privilege vulnerability in Qualcomm crypto engine driver
An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel.
CVE-2017-0576
Elevation of privilege vulnerability in DTS sound driver
An elevation of privilege vulnerability in the DTS sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel.
CVE-2017-0578
Elevation of privilege vulnerability in Qualcomm sound codec driver
An elevation of privilege vulnerability in the Qualcomm sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel.
CVE-2016-10231
Elevation of privilege vulnerability in Qualcomm video driver
An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel.
CVE-2017-0579 CVE-2016-10232 CVE-2016-10233
Elevation of privilege vulnerability in Qualcomm Seemp driver
An elevation of privilege vulnerability in the Qualcomm Seemp driver could enable a local malicious application to execute arbitrary code within the context of the kernel.
CVE-2017-0462
Elevation of privilege vulnerability in Qualcomm Kyro L2 driver
An elevation of privilege vulnerability in the Qualcomm Kyro L2 driver could enable a local malicious application to execute arbitrary code within the context of the kernel.
CVE-2017-6423
Elevation of privilege vulnerability in kernel file system
An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel.
CVE-2014-9922
Information disclosure vulnerability in kernel networking subsystem
An information disclosure vulnerability in the kernel networking subsystem could enable a local malicious application to access data outside of its permission levels.
CVE-2014-3145
Information disclosure vulnerability in Qualcomm IPA driver
An information disclosure vulnerability in the Qualcomm IPA driver could enable a local malicious application to access data outside of its permission levels.
CVE-2016-10234
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
18
Denial of service vulnerability in Qualcomm Wi-Fi driver
A denial of service vulnerability in the Qualcomm Wi-Fi driver could enable a proximate attacker to cause a denial of service in the Wi-Fi subsystem.
CVE-2016-10235
Elevation of privilege vulnerability in kernel file system
An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code outside of its permission levels.
CVE-2016-7097
Elevation of privilege vulnerability in Qualcomm Wi-Fi driver
An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.
CVE-2017-6424
Elevation of privilege vulnerability in Broadcom Wi-Fi driver
An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.
CVE-2016-8465
Information disclosure vulnerability in kernel media driver
An information disclosure vulnerability in the kernel media driver could enable a local malicious application to access data outside of its permission levels.
CVE-2014-1739
Information disclosure vulnerability in Qualcomm Wi-Fi driver
An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels.
CVE-2017-0584
Information disclosure vulnerability in Broadcom Wi-Fi driver
An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to access data outside of its permission levels.
CVE-2017-0585
Information disclosure vulnerability in Qualcomm Avtimer driver
An information disclosure vulnerability in the Qualcomm Avtimer driver could enable a local malicious application to access data outside of its permission levels.
CVE-2016-5346
Information disclosure vulnerability in Qualcomm video driver
An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels.
CVE-2017-6425
Information disclosure vulnerability in Qualcomm USB driver
An information disclosure vulnerability in the Qualcomm USB driver could enable a local malicious application to access data outside of its permission levels.
CVE-2016-10236
Information disclosure vulnerability in Qualcomm sound driver
An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels.
CVE-2017-0586
Information disclosure vulnerability in Qualcomm SPMI driver
An information disclosure vulnerability in the Qualcomm SPMI driver could enable a local malicious application to access data outside of its permission levels.
CVE-2017-6426
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
19
Vulnerabilities in Qualcomm components
Multiple vulnerabilities in Qualcomm components
CVE-2014-9937 CVE-2014-9934
BlackBerry is the first non-Google OEM to push April security patch
Site: thenokiablog.com
While companies like Samsung, LG, Huawei or Motorola are pushing March security updates
to its Android smartphones, BlackBerry has already started to roll out April security patch.
Considering the update has just been made available by Google for its Nexus and Pixel
devices, alongside Android 7.1.2 Nougat, it looks like a great achievement on BlackBerry’s
part.
However, it’s not the first time that it happens because BlackBerry has much fewer Android
smartphones that must receive security updates on a monthly basis.
Besides starting to push the update to its smartphones, BlackBerry published the Android
Security Bulletin that contains all the vulnerabilities fixed in this update. Apparently, there are
quite a lot of security issues that have been addressed in this patch.
Keep in mind that the update is rolled out OTA, so if you own the BlackBerry PRIV, DTEK50
or DTEK60 smartphones, then you should be notified when April security patch becomes
available for download.
Interesting Articles
Blackberry is getting a huge refund from Qualcomm after a royalty dispute
Site: www.theverge.com
Qualcomm has to return nearly $815 million to BlackBerry for royalties the Canadian
smartphone maker overpaid between 2010 and 2015.
The decision was made out of court as part of a binding arbitration agreement. Qualcomm
says it disagrees with the decision, but the agreement is locked in and unable to be challenged.
Interest and attorney fees will also be added the total.
The dispute was over royalties BlackBerry paid in advance to Qualcomm, seemingly for use
of Qualcomm parts or patents in its smartphones. BlackBerry argued that there was suppose
to be a cap on those royalty payments that didn’t get applied at the time, while Qualcomm
argued that BlackBerry’s payments were supposed to be nonrefundable.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
20
Windows Phone
Vulnerability
Windows 10 Mobile build 14393.1066 still doesn't fix vulnerability that exposes
your photos
Site: www.neowin.net
Back in February, a security vulnerability was discovered in Windows 10 Mobile that leaves
your photos exposed to anyone that picks up your phone. With the device locked, all you have
to do is take a picture, delete it, press back, tap the thumbnail of the image, press back again,
tap the thumbnail again, and then press back and tap the thumbnail one more time. With that
simple process, you get access to the owner's full camera roll.
The issue still hasn't been fixed in build 14393.1066. Since this vulnerability was discovered,
it hasn't been able to replicate in preview builds of the Creators Update, which will begin rolling
out to phones on April 25.
Unfortunately the Creators Update won't be rolling out to all Windows phones that were
supported for the Anniversary Update (AU). Because of this, it seems likely at this point that
many devices might never receive a fix at all.
The last time that a large number of handsets were supported by the Insider Preview but not
the official update was in March, 2016, when Windows 10 Mobile started rolling out to older
devices. Phones were able to continue receiving updates for version 1511, but after the
Anniversary Update was released, there were only a handful more updates.
If this is an issue that concerns you, you can always grab the Creators Update via the Windows
Insider Program, as it's available through the Slow and Fast rings. For now, all of the devices
supported for the AU can use that method.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
21
Interesting Articles
Only a subset of Windows Phones will get Windows 10 Creators Update
Site: ww.zdnet.com
Microsoft officials have said the rollout of the Creators Update to handsets with Windows 10
Mobile will begin on April 25, two weeks after the Creators Update begins rolling out to PC
users.
Not all Windows Phones running Windows 10 are going to be eligible for the Creators
Update, however, according to my sources.
Here's an alphabetical list of phones that are expected to get Creators Update:
Alcatel IDOL 4S
Alcatel OneTouch Fierce XL
HP Elite x3
Lenovo Softbank 503LV
MCJ Madosma Q601
Microsoft Lumia 550
Microsoft Lumia 640/640XL
Microsoft Lumia 650
Microsoft Lumia 950/950 XL
Trinity NuAns Neo
VAIO VPB051
Microsoft says unsupported devices on the Release Preview ring will continue to receive
cumulative updates for the Creators Update. The new build number is 15063.251.
Unfortunately for Microsoft users, that means many popular older phones can't be upgraded.
The Lumia 535, the third-most popular Windows phone, is ineligible, as well as the eighth,
ninth, and tenth most popular phones: the Lumia 930, the Lumia 730, and the Lumia 540. The
recent Acer Liquid Jade Primo, as well as popular older phones like the Lumia 1520 are
similarly excluded. By AdDuplex's standards, 39.2 percent of all Windows phones won't be
eligible to receive the Creators Update.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
22
There is an escape hatch, however: Even officially unsupported phones can download the
Creators Update via the Windows Insider program, which puts beta builds on the phone. If
users sign up for the Release Preview, they'll essentially upgrade themselves to an "official"
release. But those phones won't be officially supported, either.
More information about Windows 10 Mobile Creators Update:
http://www.windowscentral.com/windows-10-mobile-creators-update-review
Windows 10 Mobile security guide
Very usefull guide with a detailed description of the most important security features in the
Windows 10 Mobile operating system.
Site: https://docs.microsoft.com/en-us/windows/device-security/windows-10-mobile-security-
guide
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
23
MDM
MobileIron
MobileIron Core 9.3.0.2 New Features Summary:
MobileIron Core is a mobile management software engine that enables IT to set policies for
mobile devices, applications and content. This enables Mobile Device Management, Mobile
Application Management, and Mobile Content Management capabilities. Important Note for
Mobile@Work for Android: If your environment has devices running Android 4.1 through 4.3,
do not upgrade to Core 9.2.0.0 or greater until all impacted devices have upgraded to
Mobile@Work for Android version 9.2.0.0 or greater.
New features summary
This section provides summaries of new features developed for the current release of
MobileIron Core. References to documentation describing these features are also provided,
when available.
General features
This section summarizes new features common to all platforms or are platform-independent.
• Compliance Policies: Enhanced the customization options to mark a device as non-
compliant with the introduction of Compliance Policies. It allows administrators to define their
own criteria for marking devices non-compliant by combining dozens of device and user fields
to create non-compliant matching criteria. This feature is supported for devices belonging to
Active Directory account users. For more information, refer to the Device Management Guide
> Managing Policies chapter > Compliance Policies section.
• App Catalog: The Core App Catalog no longer lists preloaded apps. NOTE: The
administrator can always import apps that were preloaded in prior Core releases by using the
App Catalog user interface. On upgrade to Core 9.3.0.0, only formerly preloaded apps that
were assigned to labels will be listed in the App Catalog. For more information, refer to the
Apps@Work Guide.
• Enhanced User Portal functionality: Device users can identify who owns their device (the
enterprise or themselves) in the User Portal when registering their device. MobileIron Core and
Connector 9.3.0.0 Release and Upgrade Notes | 2 New features summary for more
information, refer to the Device Management Guide > Troubleshooting chapter.
• Enhanced functionality for certCheckJob: Core sends an error message (and notification
message if notifications are enabled) to the Admin and discontinues attempting to reissue a
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
24
certificate until the lifetime of the issuing certificate from the CA is extended when the following
conditions occur:
- Core performs its daily maintenance check of the certificate table
- Core discovers a certificate that it can reissue
- Certificate is set to expire soon (the default is 60 days)
- Expiration date of the replacement certificate will also be within the expiry window If the CA
administrator takes no action, Core marks the certificate as expired and removes the
configuration consuming the expired certificate from the affected device(s). This feature avoids
an endless loop scenario that consumes Core processing resources, generates network traffic,
and reduces unnecessary use that can drain the device battery.
• Strict ActiveSync to device linking: Strict ActiveSync to device linking is now enabled by
default in new MobileIron Core installations. The 'Use Strict ActiveSync to Device Linking'
setting in Sentry > Preferences is set to 'Yes', i.e. enabled, by default. This means that if
Standalone Sentry cannot successfully link an ActiveSync record to a managed device record
in Core using the ActiveSync ID, Standalone Sentry will not make any additional attempts to
associate the ActiveSync record to a managed device. If 'Use Strict ActiveSync to Device
Linking' is disabled, i.e. set to 'No', Standalone Sentry makes additional attempts to correlate
the ActiveSync record to a managed device record. These additional attempts may cause
performance issues for customers who have a large number of records. Enabling 'Use Strict
ActiveSync to Device Linking' improves Standalone Sentry performance. For more information,
refer to the MobileIron Sentry Guide.
• Delegated Administration: Several features have been added for the Space Admin.
- The Space Admin can now:
- Delete apps from the space if it doesn’t exist in any other space and if the Global
Admin has not created a global app configuration for the app.
- Edit the apps in their own space.
- Edit an apps configuration but cannot change the app name, change app description,
and whether an app is available in the Android for Work container.
- Upload and import in-house and public apps in MobileIron Core.
- When a delegated admin space is removed, all the apps and their app configurations are
also removed.
- A Space column has been added to the App Catalog screen to display the space names
associated with an app.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
25
- The Global Admin has the ability to:
- Assign permission to Space Admins allowing them to manage apps in the App Catalog
within their space. - Add, edit, and delete web apps in the global space.
- Assign permission that allows a Space Admin to manage apps in the App Catalog in
their own space.
- Support for the Space Admin to add and distribute apps that originated from the Microsoft
Business Store Portal (BSP).
- When a delegated administration space is deleted the app configuration in that space is
deleted, but the app remains available in MobileIron Core. For details, see the “Delegated
Administration” chapter in the MobileIron Core Device Management Guide.
- The Apps@Work user experience is the same for a device managed in a subspace or in the
global space. For details on these Delegated Administration features, see the “Delegated
Administration” chapter in the MobileIron Core Device Management Guide.
• Device Encryption Status: is now reported on the Device Details tab. For details, see the
“Managing Devices” chapter in the MobileIron Core Device Management Guide.
Android features
This section summarizes new features specific to the Android platform.
• An HTTP proxy has been created to facilitate connections to Android for Work devices
without whitelisting Google IP addresses. For details, see the “Delegated Administration”
chapter in the MobileIron Core Device Management Guide for Android for Work Devices.
• The Push Notification Service provides Push Notification support for devices that do not have
GCM functionality. For details, see the “Working with Events” chapter in the MobileIron Core
Device Management Guide for Android Devices.
• Android security patch levels for each device are reported to MobileIron Core and displayed
on the Device Details tab of the Devices page. For details, see the “Managing Devices” chapter
in the MobileIron Core Device Management Guide for Android Devices.
• Support for Google Play inside the Samsung Knox Workspace and to enabling or disabling
hardware features in the Knox Workspace. For details, see the “Delegated Administration”
chapter in the MobileIron Core Device Management Guide for Android Devices.
• A VPN app can be designated as an Always-On VPN app in Android for Work. For details,
see the “Getting Started with Android for Work” chapter in the MobileIron Core Device
Management Guide for Android for Work.
• New settings have been added to the Samsung Knox Container:
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
26
- Allow Screen Capture. The Admin can enable the feature and push it to the device.
This gives the user the ability to take a screenshot to help with troubleshooting
- Allow Remote Control used by the Federal Government to alternate provisioning the
Knox container,
- Allow NFC, and Allow USB -turns on NFC and USB so that apps that need this access
will function properly. These settings are available in the Modify Samsung Knox Container
Setting screen. For details, see the “Samsung Knox Settings” chapter in the MobileIron Core
Device Management Guide for Android Devices.
• A non-VPP licensed app will behave in a delegated administration space after the VPP
license has been removed from MobileIron Core. For details, see the “Delegated
Administration” chapter in the MobileIron Core Device Management Guide for Android
Devices.
• Support for Zebra custom configuration using XML configuration files on Zebra MC40 and
Zebra TC70 with Android 4.4 and 5.1. For details, see “Custom Configuration support for Zebra
devices” in the MobileIron Core Device Management Guide for Android Devices.
• In a delegated administration space, this release adds support for:
- Android for Work functionality for apps in a delegated administration space
- Remote Display - Applying App configurations
- Automatic update capability for apps
- Applying and removing a label
- Sending an (App) message
For details, see the “Delegated Administration” chapter in the MobileIron Core Device
Management Guide for Android Devices.
• The user now has control over which runtime permissions to grant Mobile@Work. For details,
see the “Registering Devices” chapter in the Getting Started with MobileIron Core 9.3.0.0 for
Android Devices.
iOS features
This section summarizes new features specific to the iOS platform.
• B2B (Business to Business) VPP (Volume Purchase Program) apps can now be imported
into the App Catalog from VPP accounts. For details about VPP, see “Using the iOS Volume
Purchase Program (VPP)” in the Apps@Work Guide.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
27
• MobileIron Core now provides Per app VPN support for IPsec. For details, see “Managing
VPN Settings” in the MobileIron Core Device Management Guide for iOS Devices.
• MobileIron Core now supports PIN-based, anonymous Apple DEP (Device Enrollment
Program) device enrollment. For details, see “Managing Devices Enrolled in the Apple Device
Enrollment Program” in the MobileIron Core Device Management Guide for iOS Devices.
• When enrolling DEP devices, you can configure MobileIron Core to keep iOS devices inside
the iOS Setup Assistant until Core has deployed all configuration profiles and restrictions to
the devices. This applies to devices running iOS 9 through the most recently released version
as supported by MobileIron. For details, see “Managing Devices Enrolled in the Apple Device
Enrollment Program” in the MobileIron Core Device Management Guide for iOS Devices.
• MobileIron Core supports the IKEv2 EAP only authentication method VPN setting for devices
running iOS 10 through the most recently released version of iOS as supported by MobileIron.
For details, see “Managing VPN Settings” in the MobileIron Core Device Management Guide
for iOS Devices.
• When configuring per app VPN, you can now specify whether the per-app VPN service will
tunnel traffic at the application layer (app-proxy) or the IP layer (packet-tunnel). For details,
see “Managing VPN Settings” in the MobileIron Core Device Management Guide for iOS
Devices.
• MobileIron Core supports Entrust decentralized mode with iOS Devices, allowing devices to
communicate directly with Entrust without certificates ever leaving the device. For details, see
“Managing Certificates and Configuring Certificate Authorities” in the MobileIron Core Device
Management Guide for iOS Devices.
• Core provides a new mechanism to support iOS managed app configuration, which allows
apps to get their app-specific configuration from Core rather than requiring the device user to
enter the values in the app. The new mechanism is easier for you to use than the legacy
mechanism. For details, see “iOS managed app configuration” in the Apps@Work Guide.
• MobileIron Core supports Uploading content to iBooks iOS app by the Space Admin in a
delegated adminstration subspace. For details, see the “Delegated Administration” chapter in
the MobileIron Core Device Management Guide for Android Devices.
Windows features
This section summarizes new features specific to the Windows platform.
• MobileIron Bridge Configuration Reversal: Core 9.3.0.0 introduces the ability for
administrators to set up MobileIron Bridge action scripts and scripts that will reverse those
actions for Windows 10 devices. NOTE: Some actions cannot have an undo action and
administrators will need to be aware of what actions can be undone before attempting to upload
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
28
an undo script. For more information, refer to the Device Management Guide > MobileIron
Bridge chapter.
• MobileIron Bridge Reporting Enhancement: This feature is supported on only Windows 10
devices. Core reports if a script was initiated successfully by MobileIron Bridge. In addition,
this release enhances the log searches using the following fields:
- State
- Object Name
- Message
For more information, refer to the Device Management Guide > MobileIron Bridge
chapter.
• Enhanced information for W32 applications: This feature supports only Windows 10 devices.
Using MobileIron Bridge, the following enhanced information for Win32 applications is
available if application developers included the information in:
- Display Version
- Developer
- Description
For more information, refer to the Device Management Guide > MobileIron Bridge chapter.
• Enhancing device inventory: Core uses a new data feed (provided by Microsoft) to allow it
to streamline application inventory data. This helps with data costs and data size and allows
Core to report on all data for Windows 10 Mobile devices and not just App store and non-store
applications. For more information, refer to the Device Management Guide > MobileIron Bridge
chapter.
• Enterprise App Store: Multi-region support is available for searching applications in the
Windows 10 store. For more information, refer to the Device Management Guide > MobileIron
Bridge chapter.
• EDP/WIP profile name change: Use of the term, Enterprise Data Protection or EDP has been
changed to Windows Information Protection or WIP in the product and the documentation. For
more information, refer to the Device Management Guide > Azure Services chapter > Windows
Information Protection section.
• Windows License Management: Admins can upgrade working SKU on the device from:
- Pro -> Enterprise
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
29
- Consumer version -> Enterprise version
For more information, refer to the Device Management Guide > MobileIron Bridge chapter.
• PassPort for Work/Windows Hello: Administrators can enhance their AAD devices to take
advantage of the Windows Hello/PassPort For Work identity passport feature. This passport
can be used as authorization to the device itself and other applications that take advantage of
the passport feature. For more information, refer to the Device Management Guide > Azure
Services chapter.
AppConnect features
This section summarize new AppConnect features common to both AppConnect for Android
and AppConnect for iOS.
• On the AppConnect global policy, the field Check for passcode strength has been renamed
to Check for AppConnect passcode strength to clarify that the passcode strength applies to
the AppConnect passcode not the device passcode. For details, see “AppConnect passcode
strength” in the AppConnect and AppTunnel Guide.
• You can now use the Core substitution variable $GOOGLE_AUTOGEN_PASSWORD$ as
the value in a key- value pair in an AppConnect app configuration. For details, see “Configuring
an AppConnect app configuration” in the AppConnect and AppTunnel Guide.
MobileIron Sentry 9.0.2 This release replaces the Standalone Sentry 9.0.0 release and addresses some security
issues.
Summary:
A flaw has been reported in MobileIron Sentry which could lead to information disclosure. This
issue affects Sentry only in a very specific configuration in combination with external services.
An information disclosure issue has been reported in MobileIron Sentry version 9.0.0 that could
cause users to access another user's mailbox. In environments where Sentry is configured for
both Trusted Front End (TFE) and Kerberos and where the front end (e.g. F5 or NetScaler) is
configured to reuse TLS sessions between it and the Sentry, users attempting to access their
mailbox may instead access another user's mailbox.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
30
This issue is resolved in Sentry 9.0.2. Customers running Sentry 8.5 are not impacted by this
issue. Customers are advised to upgrade to version 9.0.2 if they configure their Sentry to use:
Trusted Front End AND
Kerberos AND
Have a front end that has TLS session reuse enabled
In order to successfully exploit this issue, an attacker must have access to an email account
on a server protected by a Sentry that is configured for TFE and Kerberos and where the front
end will reuse the TLS session to Sentry. By default, MobileIron Core does not use these
features.
In these instances, Sentry will associate the TLS session from the front end with the first user
to authenticate over that connection. This can incorrectly lead subsequent users to access that
first user’s mailbox.
MobileIron Impact
This issue has been rated as having Medium severity by the MobileIron Security Team.
This issue affects the following MobileIron Sentry version: MobileIron Sentry 9.0.0
Please note that customers are only affected if they configure MobileIron Sentry to use:
Trusted Front End AND
Kerberos AND
Have a front end that has TLS session reuse enabled
New Features Summary:
The following are new features and enhancements in Standalone Sentry that are available for
MobileIron Core and MobileIron Cloud:
• Standalone Sentry system health data can be pushed to v MobileIron Monitor. Previously,
only audit log data could be pushed to MobileIron Monitor. Standalone Sentry treats
MobileIron Monitor as any other syslog server.
The following commands were updated:
- syslog: Added port, protocol, and facility for configuring the syslog server.
- show logging: Added port, protocol, and facility type to the output.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
31
The following commands were added:
- sentry health-monitor
- no sentry health-monitor
- show sentry health-monitor
• TCP is now a supported protocol for sending log data from Standalone Sentry to your
syslog server.
• Audit logs show the inner connections for IP Tunnel traffic. The EntryType in the log is set
to IP_VPN_CONN. An additional field, type, identifies the inner connection that was
attempted. It can be one of the two values: UDP or TCP. Correlation is done through
useCaseID of the original tunnel establishment request.
• The Cipher TLS_DHE_DSS_WITH_AES_128_CBC_SHA has been removed from the
supported list of ciphers for Sentry Server Role (Incoming SSL configuration).
• The following two new CLI commands allow administrators to verify a KCD configuration
by issuing a Kerberos ticket for a particular user.
- debug sentry kerberos request-ticket host-port <upn> <realm> <hostname> [port]
- debug sentry kerberos request-ticket spn <upn> <realm> <spn>
The Kerberos tickets issued using the debug commands are for testing and debugging
purposes only and are not cached or reused.
.• The default subnet mask that Standalone Sentry uses internally for IP tunnels has been
changed from 172.28.13.1/30 to 172.28.13.0/29. If you have a host in your internal network
with the IP address within the subnet 172.28.13.0/29, you must change the subnet Standalone
Sentry uses for IP tunneling. Contact MobileIron Support for instructions on how to change the
default subnet mask that Standalone Sentry uses for IP tunneling.
• Garbage Collection (GC) logs are enabled by default. The GC logs are automatically added
to show-tech. When you upgrade to version 9.0.0, GC logs are enabled. You can configure
GC logging via Sentry CLI commands.
MobileIron Cloud features
The following are new features and enhancements in Standalone Sentry introduced for
MobileIron Cloud:
• Advanced traffic control (ATC) can be configured on MobileIron Cloud. Administrators can
configure both domain-based as well as IP-based rules. For Standalone Sentry configured
on MobileIron Cloud, ATC rules can also be applied to IP traffic.
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
32
• Physical and VLAN interface fields, as well as the DNS and hostname fields, are not
editable for a Standalone Sentry installed on Amazon Web Services (AWS) or on Microsoft
Azure. These are assigned by the AWS or the Microsoft Azure infrastructure.
• Standalone Sentry supports the tiered action feature in MobileIron Cloud. For more
information see the documentation for MobileIron Cloud.
Last Version MobileIron Core: 9.3.0
MobileIron Sentry: 9.0.2
Integrated Sentry: 6.2.1
Mobile@Work for Android: 9.3.0.2
Secure Apps for Android: 7.7.0.0
Email+ for Android: 2.3.0
Docs@Work for Android: 2.0.0
Web@Work for Android: 2.0.0
Mobile@Work for iOS: 9.1.0
Email+ for iOS: 2.4.0
Docs@Work for iOS: 2.2.0
Web@Work for iOS: 1.9.3
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
33
Airwatch
VMware Airwatch 9.1 Release Highlights
Expanded support for Windows 10 including OS patch management, BitLocker encryption and
online BSP licensing
Simple and secure Android for enterprise with new deployment methods, Google Play
integrations, and more
Extension of one-touch mobile SSO across apps with unified access control
Take device actions based on defined events or conditions such as battery, memory level and
more
Windows Unified Agent 9.1 is seeded in the AirWatch Console
Complete Release notes:
https://my.air-watch.com/help/9.1/en/Content/Release_Notes/Help_Release_Notes.htm
Last Version VMware Airwatch 9.1.
AirWatch Agent for iOS 5.4.2
VMware Browser for iOS 6.2.1
VMware Content Locker for iOS 4.3
AirWatch Inbox for iOS 3.2
AirWatch Tunnel for iOS 1.3.4
VMware Boxer for OS 4.4.1
AirWatch Container 2.5
AirWatch Agent for Android 7.1.4.151
VMware Browser for Android 6.2.0.30
VMware Content Locker for Android 3.3.0.11
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
34
AirWatch Inbox for Android 3.2.0.24
VMware Boxer for Android 4.3.0.33
AirWatch Container 3.4.0.19
What is the Difference between MDM, EMM and UEM? Site: www.42gears.com
Managing mobile devices across business operations is more critical to enterprise success
than ever before. Several categories of mobile security products like MDM (Mobile Device
Management) and EMM (Enterprise Mobility Management) have emerged to address the
problems related to data security and privacy. Here are few pointers which will explain the
basic difference between these products:
MDM (Mobile Data Management)
Is all about remotely managing devices, allowing users to perform certain prescribed tasks on
their phones and tablets. MDM includes features like device provisioning, enrollment, device
security and location tracking. It also helps in wiping the data in case the device is stolen or
lost. A basic MDM tool has the ability to enforce security policies, track inventory and perform
real-time monitoring and reporting.
From a security standpoint, this was a perfectly reasonable way to manage a company-owned
device. But some employees were not very comfortable carrying two separate devices for
business and personal use. So it was in the interest of businesses to consider employees’
demand for BYOD (Bring Your Own Device). A single device which gave employees the
flexibility and ease to shift from personal to work use, anywhere, and anytime.
The rapid growth of the smartphones, mobile applications market and the need for data
security led to the creation of Mobile Application Management (MAM) solution that limited the
management and control of specific business applications. Mobile Application Management is
like MDM, except that it’s only applied to specific applications on a device instead of the entire
device. MAM helps in creating an enterprise app store and pushing or updating necessary
apps on business devices remotely. But sometimes MAM has its own set of challenges as well.
Since every business app requires unique coding to work with each individual MAM product,
the availability of apps for a specific standalone platform can be limited.
Nonetheless, MAM was a perfect settlement between employees and employers without
compromising data security and interfering in employee privacy. But in practice, the experience
was not so great as it cannot be easily extended to support the majority of native app-store
applications. After that, there were several small development stages where the experience
got redefined with the evolution of applications such as MIM (Mobile Information Management)
System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.
Enterprise Mobility Report
April 2017
35
and MCM (Mobile Content Management). They are focused on the security of a particular
document repository where employees and employers access and share documents or files
without affecting the entire device or other applications.
EMM (Enterprise Mobility Management)
And finally, it reached the stage of EMM). EMM is nothing more than the combination of an
MDM and MAM solutions equipped with a secure container that keeps business data secure.
An EMM solution in addition to MDM offers Mobile App Management, Mobile Content
Management, App Wrapping and Containerization. EMM is a complete package of services
which offers complete data security on BYOD and COSU devices for enterprises.
While MAM and MDM solutions were going through continuous upgradations to match the
growing needs of data security in enterprises, BYOD as a concept came into picture which
allowed the end users to bring in their own mobile devices and get them enrolled into IT’s
corporate resources. BYOD is enabled through the concept of containerization, letting the IT
Admin segregate company and personal data on the same handheld. It helps the IT Admin
create encrypted, policy-enabled and distinct containers in employee’s personal devices to use
browser apps and deliver specific email and data.
Mobile Device Management (MDM), Enterprise Mobility Management (EMM) and Unified
Endpoint Management (UEM)
Simply put, the main difference between MDM and EMM is that MDM manages all the features
of the device while EMM manages the entire device. EMM provides policy compliance, app
customization, data and document security and incorporates into the network directory
services.
UEM (Unified Endpoint Management)
The move from MDM to EMM has been quite rapid as more organizations are realizing the
need to protect their networks and ensure data compliance. And with new progressive
technologies entering the global market, the world is moving towards a new set of EMM
solutions like Unified Endpoint Management (UEM) which allows the businesses to manage
all the endpoints like laptops, mobiles, tablets, PCs, printers and wearables using a single
extensive EMM solution.