Skip to main content

Guidelines for Enterprise Mobility

This chapter of the Information Security Manual (ISM) provides guidance on enterprise mobility.

Mobile device management

Types of mobile devices

These guidelines describe the use and protection of mobile devices, such as smartphones, tablets and laptops. Further guidance for laptops is available in the Guidelines for System Hardening and the Guidelines for System Management.

Mobile device management policy

Since mobile devices routinely leave the office environment, and the protection it affords, it is important that a mobile device management policy is developed and implemented to ensure that they are sufficiently hardened.

Control: ISM-1533; Revision: 2; Updated: Aug-19; Applicability: All; Essential Eight: N/A
A mobile device management policy is developed and implemented.

Control: ISM-1195; Revision: 1; Updated: Sep-18; Applicability: All; Essential Eight: N/A
A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices.

ASD-approved platforms

In order to ensure interoperability and maintain trust, all mobile devices that process, store or communicate SECRET or TOP SECRET data must be approved for use by the Australian Signals Directorate (ASD).

Control: ISM-0687; Revision: 9; Updated: Sep-22; Applicability: S, TS; Essential Eight: N/A
Mobile devices do not process, store or communicate SECRET or TOP SECRET data until approved for use by ASD.

Privately-owned mobile devices

Allowing privately-owned mobile devices to access an organisation’s systems or data can increase liability risk. As such, an organisation should seek legal advice to ascertain whether this scenario affects compliance with relevant legislation, such as the Privacy Act 1988 and the Archives Act 1983, and also consider whether the increased liability risks are acceptable to the organisation.

If an organisation chooses to allow personnel to use a privately-owned mobile device to access their organisation’s systems or data, they should ensure that it does not present an unacceptable security risk. This can be achieved by encouraging the use of an ASD-approved platform, with a security configuration in accordance with Australian Cyber Security Centre (ACSC) guidance, along with enforced separation of work and personal data.

Control: ISM-1297; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Legal advice is sought prior to allowing privately-owned mobile devices to access systems or data.

Control: ISM-1400; Revision: 7; Updated: Sep-22; Applicability: O, P; Essential Eight: N/A
Personnel accessing OFFICIAL and PROTECTED systems or data using a privately-owned mobile device use an ASD-approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of work and personal data.

Control: ISM-0694; Revision: 7; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
Privately-owned mobile devices do not access SECRET and TOP SECRET systems or data.

Organisation-owned mobile devices

If an organisation chooses to issue personnel with an organisation-owned mobile device to access their organisation’s systems or data, they should ensure that it does not present an unacceptable security risk. This can be achieved by using an ASD-approved platform, with a security configuration in accordance with ACSC guidance, along with enforced separation of work and personal data.

Control: ISM-1482; Revision: 6; Updated: Sep-22; Applicability: O, P, S, TS; Essential Eight: N/A
Personnel accessing systems or data using an organisation-owned mobile device use an ASD-approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of work and personal data.

Storage encryption

Encrypting the internal storage, and any removable media, for mobile devices will prevent an adversary from gaining easy access to any sensitive or classified data stored on them if they are lost or stolen.

Control: ISM-0869; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Mobile devices encrypt their internal storage and any removable media.

Communications encryption

If appropriate encryption is not available to protect data in transit, mobile devices communicating sensitive or classified data will present a security risk.

Control: ISM-1085; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Mobile devices encrypt all sensitive or classified data communicated over public network infrastructure.

Bluetooth functionality

To mitigate security risks associated with pairing mobile devices with other Bluetooth devices, Bluetooth version 4.1 introduced the Secure Connections functionality for Bluetooth Classic, while Bluetooth version 4.2 introduced the Secure Connections functionality for Bluetooth Low Energy. This functionality uses keys generated using Elliptic Curve Diffie-Hellman cryptography, thereby offering greater security compared to previous key exchange protocols. However, personnel should still consider the location and manner in which they pair OFFICIAL and PROTECTED mobile devices with other Bluetooth devices, such as by avoiding pairing devices in public locations, and remove all Bluetooth pairings when there is no longer a requirement for their use.

Note, however, the Bluetooth protocol provides inadequate protection for the communication of SECRET and TOP SECRET data. As such, Bluetooth functionality is not suitable for use with SECRET and TOP SECRET mobile devices.

Control: ISM-1196; Revision: 2; Updated: Jun-22; Applicability: O, P; Essential Eight: N/A
OFFICIAL and PROTECTED mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing.

Control: ISM-1200; Revision: 5; Updated: Jun-22; Applicability: O, P; Essential Eight: N/A
Bluetooth pairing for OFFICIAL and PROTECTED mobile devices is performed using Secure Connections, preferably with Numeric Comparison if supported.

Control: ISM-1198; Revision: 2; Updated: Jun-22; Applicability: O, P; Essential Eight: N/A
Bluetooth pairing for OFFICIAL and PROTECTED mobile devices is performed in a manner such that connections are only made between intended Bluetooth devices.

Control: ISM-1199; Revision: 3; Updated: Jun-22; Applicability: O, P; Essential Eight: N/A
Bluetooth pairings for OFFICIAL and PROTECTED mobile devices are removed when there is no longer a requirement for their use.

Control: ISM-0682; Revision: 5; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
Bluetooth functionality is not enabled on SECRET and TOP SECRET mobile devices.

Maintaining mobile device security

Poorly secured mobile devices are more vulnerable to compromise, and provide an adversary with a potential access point into any connected systems. Although an organisation may initially provide secure mobile devices, their security posture may degrade over time if personnel are capable of installing or uninstalling non-approved applications, or disabling or modifying security functionality. Furthermore, it is important that security updates are applied to mobile devices as soon as they become available in order to maintain their security posture.

Control: ISM-0863; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Mobile devices prevent personnel from installing or uninstalling non-approved applications once provisioned.

Control: ISM-0864; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Mobile devices prevent personnel from disabling or modifying security functionality once provisioned.

Control: ISM-1366; Revision: 2; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Security updates are applied to mobile devices as soon as they become available.

Connecting mobile devices to the internet

When connecting mobile devices to the internet, best practice involves establishing a Virtual Private Network (VPN) connection to an organisation’s internet gateway rather than a direct connection to the internet. In doing so, mobile devices will be protected by additional security functionality, such as web content filtering, provided by an organisation’s internet gateway.

A split tunnel VPN can allow access into an organisation’s network from other networks, such as the internet. If split tunnelling is not disabled there is an increased security risk that the VPN connection will be susceptible to intrusions from other networks. An organisation can refer to the relevant ACSC security configuration guidance for mobile devices on how to mitigate this security risk.

Control: ISM-0874; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Mobile devices access the internet via a VPN connection to an organisation’s internet gateway rather than via a direct connection to the internet.

Control: ISM-0705; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
When accessing an organisation’s network via a VPN connection, split tunnelling is disabled.

Further information

Further information on hardening operating systems for laptops can be found in the operating system hardening section of the Guidelines for System Hardening.

Further information on hardening applications for laptops can be found in the application hardening section of the Guidelines for System Hardening.

Further information on patching or updating operating systems and applications for laptops can be found in the system patching section of the Guidelines for System Management.

Further information on allowing the use of privately-owned mobile devices by personnel to access their organisation’s systems and data can be found in the ACSC’s Bring Your Own Device for Executives publication.

Further information and specific guidance on enterprise mobility can be found in the ACSC’s Risk Management of Enterprise Mobility Including Bring Your Own Device (BYOD) publication.

Further information on cyber supply chain risk management can be found in the cyber supply chain risk management section of the Guidelines for Procurement and Outsourcing.

Further information on evaluated products can be found in the evaluated product procurement section of the Guidelines for Evaluated Products.

Further information on ASD-approved platforms can be found in the following ACSC publications:

Further information on encrypting mobile devices and their communications can be found in the cryptographic fundamentals section of the Guidelines for Cryptography.

Further information on Bluetooth security can be found in National Institute of Standards and Technology Special Publication 800-121 Rev. 2, Guide to Bluetooth Security.

Mobile device usage

Mobile device usage policy

Since mobile devices routinely leave the office environment, and the protection it affords, it is important that an organisation develops a mobile device usage policy governing their use.

Control: ISM-1082; Revision: 2; Updated: Aug-19; Applicability: All; Essential Eight: N/A
A mobile device usage policy is developed and implemented.

Personnel awareness

Mobile devices can have both a voice and data communications component. In such cases, personnel should know the sensitivity or classification of voice and data that mobile devices have been approved to process, store and communicate.

Control: ISM-1083; Revision: 2; Updated: Sep-18; Applicability: All; Essential Eight: N/A
Personnel are advised of the sensitivity or classification permitted for voice and data communications when using mobile devices.

Paging, message services and messaging apps

As paging, messaging services and many messaging apps do not sufficiently encrypt data in transit, they cannot be relied upon for the communication of sensitive or classified data.

Control: ISM-0240; Revision: 7; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Paging, Multimedia Message Service, Short Message Service and messaging apps are not used to communicate sensitive or classified data.

Using mobile devices in public spaces

Personnel should be aware of the environment in which they use mobile devices to view or communicate sensitive or classified data. In particular, personnel should take care to ensure that sensitive or classified data is not observed by other parties in public areas, such as on public transport, in transit lounges and at coffee shops. In some cases, privacy filters can be applied to the screen of a mobile device to prevent onlookers from reading content off its screen.

In addition, personnel should maintain awareness of the environments from which they conduct sensitive or classified phone calls and the potential for their conversations to be overheard.

Control: ISM-0866; Revision: 5; Updated: Jun-21; Applicability: All; Essential Eight: N/A
Sensitive or classified data is not viewed or communicated in public locations unless care is taken to reduce the chance of the screen of a mobile device being observed.

Control: ISM-1145; Revision: 4; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
Privacy filters are applied to the screens of SECRET and TOP SECRET mobile devices.

Control: ISM-1644; Revision: 0; Updated: Jun-21; Applicability: All; Essential Eight: N/A
Sensitive or classified phone calls are not conducted in public locations unless care is taken to reduce the chance of conversations being overheard.

Maintaining control of mobile devices

As mobile devices are portable in nature, and can be easily lost or stolen, it is strongly advised that personnel maintain continual direct supervision of them when they are being actively used and carry or store them in a secured state when they are not being activity used. Note, while mobile devices may be encrypted, the effectiveness of encryption might be reduced if they are lost or stolen while in sleep mode or powered on with a locked screen.

Control: ISM-0871; Revision: 3; Updated: Apr-19; Applicability: All; Essential Eight: N/A
Mobile devices are kept under continual direct supervision when being actively used.

Control: ISM-0870; Revision: 3; Updated: Apr-19; Applicability: All; Essential Eight: N/A
Mobile devices are carried or stored in a secured state when not being actively used.

Control: ISM-1084; Revision: 4; Updated: Dec-21; Applicability: All; Essential Eight: N/A
If unable to carry or store mobile devices in a secured state, they are physically transferred in a security briefcase or an approved multi-use satchel, pouch or transit bag.

Mobile device emergency sanitisation processes and procedures

The sanitisation of mobile devices in emergency situations can assist in reducing the potential for compromise of data by an adversary. This may be achieved through the use of a remote wipe capability or a cryptographic key zeroise or sanitisation function if present.

Control: ISM-0701; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Mobile device emergency sanitisation processes, and supporting mobile device emergency sanitisation procedures, are developed and implemented.

Control: ISM-0702; Revision: 5; Updated: Dec-21; Applicability: S, TS; Essential Eight: N/A
If a cryptographic zeroise or sanitise function is provided for cryptographic keys on a SECRET or TOP SECRET mobile device, the function is used as part of mobile device emergency sanitisation processes and procedures.

Before travelling overseas with mobile devices

Personnel travelling overseas with mobile devices face additional security risks compared to travelling domestically, especially when travelling to high or extreme risk countries. As such, appropriate precautions should be taken. Personnel should also be aware that when they leave Australian borders they also leave behind any expectations of privacy.

Control: ISM-1298; Revision: 2; Updated: Oct-19; Applicability: All; Essential Eight: N/A
Personnel are advised of privacy and security risks when travelling overseas with mobile devices.

Control: ISM-1554; Revision: 1; Updated: Dec-21; Applicability: All; Essential Eight: N/A
If travelling overseas with mobile devices to high or extreme risk countries, personnel are:

  • issued with newly provisioned accounts, mobile devices and removable media from a pool of dedicated travel devices which are used solely for work-related activities
  • advised on how to apply and inspect tamper seals to key areas of mobile devices
  • advised to avoid taking any personal mobile devices, especially if rooted or jailbroken.

Control: ISM-1555; Revision: 1; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Before travelling overseas with mobile devices, personnel take the following actions:

  • record all details of the mobile devices being taken, such as product types, serial numbers and International Mobile Equipment Identity numbers
  • update all operating systems and applications
  • remove all non-essential accounts, applications and data
  • apply security configuration settings, such as lock screens
  • configure remote locate and wipe functionality
  • enable encryption, including for any removable media
  • backup all important data and configuration settings.

While travelling overseas with mobile devices

Personnel lose control of mobile devices and removable media any time they are not on their person. This includes when placing mobile devices and removable media in checked-in luggage or leaving them in hotel rooms (including hotel room safes). In addition, allowing untrusted people to access mobile devices provides an opportunity for them to be tampered with.

Control: ISM-1299; Revision: 3; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Personnel take the following precautions when travelling overseas with mobile devices:

  • never leaving mobile devices or removable media unattended for any period of time, including by placing them in checked-in luggage or leaving them in hotel safes
  • never storing credentials with mobile devices that they grant access to, such as in laptop bags
  • never lending mobile devices or removable media to untrusted people, even if briefly
  • never allowing untrusted people to connect their mobile devices or removable media, including for charging
  • never using designated charging stations, wall outlet charging ports or chargers supplied by untrusted people
  • avoiding connecting mobile devices to open or untrusted Wi-Fi networks
  • using a VPN connection to encrypt all mobile device communications
  • using encrypted messaging apps for communications instead of using foreign telecommunication networks
  • disabling any communications capabilities of mobile devices when not in use, such as cellular data, wireless, Bluetooth and Near Field Communication
  • avoiding reuse of removable media once used with other parties’ systems or mobile devices
  • ensuring any removable media used for data transfers are thoroughly checked for malicious code beforehand
  • never using any gifted mobile devices, especially removable media, when travelling or upon returning from travelling.

Control: ISM-1088; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Personnel report the potential compromise of mobile devices, removable media or credentials to their organisation as soon as possible, especially if they:

  • provide credentials to foreign government officials
  • decrypt mobile devices for foreign government officials
  • have mobile devices taken out of sight by foreign government officials
  • have mobile devices or removable media stolen that are later returned
  • lose mobile devices or removable media that are later found
  • observe unusual behaviour of mobile devices.

After travelling overseas with mobile devices

Following overseas travel with mobile devices, personnel should take appropriate precautions to ensure that they do not pose an undue security risk to their organisation’s systems and data. In most cases, sanitising and resetting mobile devices, including all removable media, will be sufficient. However, upon returning from high or extreme risk countries, additional precautions will likely be needed.

Control: ISM-1300; Revision: 5; Updated: Dec-21; Applicability: All; Essential Eight: N/A
Upon returning from travelling overseas with mobile devices, personnel take the following actions:

  • sanitise and reset mobile devices, including all removable media
  • decommission any physical credentials that left their possession during their travel
  • report if significant doubt exists as to the integrity of any mobile devices or removable media.

Control: ISM-1556; Revision: 1; Updated: Dec-21; Applicability: All; Essential Eight: N/A
If returning from travelling overseas with mobile devices to high or extreme risk countries, personnel take the following additional actions:

  • reset user credentials used with mobile devices, including those used for remote access to their organisation’s systems
  • monitor accounts for any indicators of compromise, such as failed logon attempts.

Further information

Further information on usage of mobile devices in SECRET and TOP SECRET areas can be found in the facilities and systems section of the Guidelines for Physical Security.

Further information on security briefcases can be found in the Australian Security Intelligence Organisation’s Security Equipment Guide-005, Briefcases for the Carriage of Security Classified Information. This publication is available from the Protective Security Policy GovTEAMS community or the Australian Security Intelligence Organisation by email.

Further information on approved multi-use satchels, pouches and transit bags can be found on the Security Construction and Equipment Committee’s Security Equipment Evaluated Products List.

Further information on travelling overseas with mobile devices can be found in the ACSC’s Travelling Overseas with Electronic Devices publication.

Was this information helpful?
Was this information helpful?

Thanks for your feedback!

 
Optional

Tell us why this information was helpful and we’ll work on making more pages like it