Skip to main content

This section of the ISM provides guidance on mobile device management.

Types of mobile devices

These guidelines describe the use of mobile devices such as laptops, mobile phones and tablets.

Mobile device management policy

Since mobile devices routinely leave the office environment, and the protection it affords, it is important that a mobile device management policy is developed to ensure that they are protected in an appropriate manner.

Security Control: 1533; Revision: 2; Updated: Aug-19; Applicability: O, P, S, TS
A mobile device management policy is developed and implemented.

Security Control: 1195; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
A Mobile Device Management solution is used to ensure mobile device management policy is applied to all mobile devices.

Security Control: 0687; Revision: 5; Updated: Sep-18; Applicability: TS
Mobile devices do not process, store or communicate TOP SECRET information unless explicitly approved by the ACSC to do so.

Privately-owned mobile devices

If organisations choose to allow personnel to use privately-owned mobile devices to access their organisation’s systems or information, they should ensure that the devices do not present an unacceptable security risk. Information on security risks, and recommended security controls, for allowing the use of privately-owned mobile devices are discussed in the ACSC’s Risk Management of Enterprise Mobility Including Bring Your Own Device (BYOD) publication.

Security Control: 1400; Revision: 4; Updated: Aug-20; Applicability: O, P
Personnel accessing official or classified systems or information using a privately-owned mobile device use an ACSC approved platform, a security configuration in accordance with ACSC guidance, and have enforced separation of official and classified information from any personal information.

Security Control: 0694; Revision: 5; Updated: Aug-20; Applicability: S, TS
Privately-owned mobile devices do not access highly classified systems or information.

Seeking legal advice for privately-owned mobile devices

Allowing privately-owned mobile devices to access an organisation’s systems or information can increase liability risk. Organisations should seek legal advice to ascertain whether this scenario affects compliance with relevant legislation (e.g. compliance with government data retention laws in the Archives Act 1983), and also consider whether the increased liability risks are acceptable to the organisation. Risks will be dependent on each organisation’s mobile device usage policy and its implementation.

Security Control: 1297; Revision: 2; Updated: Aug-20; Applicability: O, P, S, TS
Legal advice is sought prior to allowing privately-owned mobile devices to access official or classified systems or information.

Organisation-owned mobile devices

If organisations choose to issue personnel with mobile devices to access their organisation’s systems or information, they should ensure that the devices do not present an unacceptable security risk. Information on security risks, and recommended security controls, for allowing the use of organisation-owned mobile devices are discussed in the ACSC’s Risk Management of Enterprise Mobility Including Bring Your Own Device (BYOD) publication.

Security Control: 1482; Revision: 3; Updated: Aug-20; Applicability: O, P, S, TS
Personnel accessing official or classified systems or information using an organisation-owned mobile device use an ACSC approved platform with a security configuration in accordance with ACSC guidance.

Mobile device storage encryption

Encrypting the internal storage and removable media of mobile devices will lessen security risks associated with a lost or stolen device as it will present a significant challenge to an adversary looking to gain easy access to information stored on the device.

Security Control: 0869; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
All information on mobile devices is encrypted using at least an Australian Signals Directorate Approved Cryptographic Algorithm.

Mobile device communications encryption

If appropriate encryption is not available, mobile devices communicating sensitive or classified information present a security risk to such information. Encrypting communications, regardless of the protocol used (e.g. Bluetooth, infrared, Wi-Fi, 3G/4G/5G or other wireless protocols) is the only way to have any assurances that the information is protected.

Security Control: 1085; Revision: 2; Updated: Sep-18; Applicability: O, P, S, TS
Mobile devices used to communicate sensitive or classified information over public network infrastructure use encryption approved for communicating such information over public network infrastructure.

Mobile device Bluetooth functionality

Bluetooth provides inadequate security for information that is passed between mobile devices and other Bluetooth devices. As such, Bluetooth is not suitable for use with highly classified mobile devices. Furthermore, as Bluetooth has a number of known weaknesses which can potentially be exploited, the range of Bluetooth communications for all other mobile devices should be limited.

Security Control: 1202; Revision: 1; Updated: Sep-18; Applicability: O, P
The range of Bluetooth communications between mobile devices and other Bluetooth devices is restricted to less than 10 metres by using class 2 or class 3 Bluetooth devices.

Security Control: 0682; Revision: 4; Updated: Sep-18; Applicability: S, TS
Bluetooth functionality is not enabled on highly classified mobile devices.

Mobile device Bluetooth pairing

To mitigate security risks associated with pairing mobile devices with other Bluetooth devices, Bluetooth version 2.1 introduced secure simple pairing and extended inquiry response. Secure simple pairing improved the pairing experience for Bluetooth devices and introduced a form of public key cryptography while extended inquiry response provided more information during the inquiry procedure to allow for better filtering of Bluetooth devices.

In addition to using Bluetooth devices that support at least Bluetooth version 2.1, personnel should consider the location and manner in which they pair Bluetooth devices. For example, by avoiding pairing devices in public locations.

Security Control: 1196; Revision: 1; Updated: Sep-18; Applicability: O, P
Mobile devices are configured to remain undiscoverable to other Bluetooth devices except during Bluetooth pairing.

Security Control: 1200; Revision: 3; Updated: Sep-18; Applicability: O, P
Bluetooth pairing is performed using Bluetooth version 2.1 or later.

Security Control: 1198; Revision: 1; Updated: Sep-18; Applicability: O, P
Bluetooth pairing is performed in a manner such that connections are only made between intended Bluetooth devices.

Security Control: 1199; Revision: 1; Updated: Sep-18; Applicability: O, P
Bluetooth pairings are removed from mobile devices when there is no longer a requirement for their use.

Configuration control

Poorly controlled mobile devices are more vulnerable to compromise and provide an adversary with a potential access point into systems. Although organisations may initially provide secure mobile devices, the state of security may degrade over time. The security of mobile devices should be audited regularly to ensure their integrity.

Security Control: 0863; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
Mobile devices prevent personnel from installing or uninstalling applications once provisioned.

Security Control: 0864; Revision: 3; Updated: Apr-19; Applicability: O, P, S, TS
Mobile devices prevent personnel from disabling or modifying security functions once provisioned.

Maintaining mobile device security

It is important that mobile devices are regularly tested to ensure that they meet organisation-defined security configurations and that patches are being applied.

Security Control: 1365; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Mobile carriers that are able to provide timely security updates for mobile devices are used.

Security Control: 1366; Revision: 1; Updated: Sep-18; Applicability: O, P, S, TS
Mobile devices are able to accept security updates from mobile carriers as soon as they become available.

Connecting mobile devices to the internet

During the time mobile devices are connected to the internet for web browsing they are directly exposed to targeted cyber intrusions originating from the internet. Should web browsing be required, best practice involves establishing a Virtual Private Network (VPN) connection and browsing the web though an organisation’s internet gateway.

A split tunnel VPN can allow access to systems from another network, including unsecured networks such as the internet. If split tunnelling is not disabled there is an increased security risk that the VPN connection is susceptible to targeted cyber intrusions from such networks. Disabling split tunnelling may not be achievable on all mobile devices. Organisations can refer to the relevant ACSC guidance for mobile devices on how to manage security risks associated with split tunnelling.

Security Control: 0874; Revision: 4; Updated: Sep-18; Applicability: O, P
Web browsing from mobile devices is conducted through an organisation’s internet gateway rather than via a direct connection to the internet.

Security Control: 0705; Revision: 3; Updated: Sep-18; Applicability: O, P, S, TS
When accessing an organisation system via a VPN connection, split tunnelling is disabled.

Further information

Further information on the use of mobile devices can be found in the mobile device usage section of these guidelines.

Further information on using Bluetooth to communicate sensitive or classified information can be found in the wireless devices and Radio Frequency transmitters section of the Guidelines for Physical Security.

Further information on the use of encryption to reduce storage and physical transfer requirements is detailed in the cryptographic fundamentals section of the Guidelines for Cryptography.

Further information on allowing the use of privately-owned devices by personnel to access their organisation’s systems and information can be found in the ACSC’s Bring Your Own Device for Executives publication at https://www.cyber.gov.au/acsc/view-all-content/publications/bring-your-own-device-executives.

Further information and specific guidance on enterprise mobility can be found in the ACSC’s Risk Management of Enterprise Mobility Including Bring Your Own Device (BYOD) publication at https://www.cyber.gov.au/acsc/view-all-content/publications/risk-management-enterprise-mobility-including-bring-your-own-device.

Further information on securely configuring mobile devices can be found in the following ACSC publications:

Further information on configuring personal mobile devices can be found in the ACSC’s Security Tips for Personal Devices publication at https://www.cyber.gov.au/acsc/view-all-content/publications/security-tips-personal-devices.

Further information on Bluetooth security can be found in National Institute of Standards and Technology Special Publication 800-121 Rev. 2, Guide to Bluetooth Security, at https://csrc.nist.gov/publications/detail/sp/800-121/rev-2/final.