[Win10] Limiting users that can log into a workstation using Restricted Groups CSP

The title says it for itself. It is a useful capability for shared workstations and other scenarios, where the PC access needs to be limited. The credit goes to this blog post on EMM.how, you can read it for full details and pictures I just want to make a few points that I’ve taken out of that post and add some of mine.

(more…)

Remediate the Pixel4 and Galaxy S10 biometric security flaws with Workspace ONE

I am pretty sure you’ve heard already about the issues with Samsung Galaxy S10 fingerprint sensor and Google Pixel 4 Face Unlock. Both companies have acknowledged the issues and committed to releasing the patches “soon” (Samsung is said to be testing fixes in certain countries already). What can you in the meantime? With Workspace ONE and Android Enterprise is it easy!

(more…)

On Apple, Security by Obscurity and WS1 Trust Network.

In the last several weeks a number of bugs were found in Apple’s iOS, MacOS and protocols. This had coincided with a partner workshop last Friday, where the decisive argument was “Have you ever heard of an Antivirus for an iPhone“.

Apple is well known for refusing to publish any details behind the inner workings of its solutions, locking everything that may be locked down and suing all those who try to work around those limitations..

Despite all that, flaws are being found, iOS was jailbroken again (because Apple unpatched a fix they implemented in 12.3) and malware on App Store is just as common as everywhere else.

Security Researchers about Apple’s Security Through Obscurity
(more…)

Important enrollment switches for Samsung KNOX with Android Enterprise (VMware Workspace ONE UEM)

Workspace ONE has a ton of features built specifically for Samsung: KNOX OEM Extensions (modern and legacy), KNOX Service Plugin support (OEMconfig), E-FOTA, KNOX Mobile Enrollment, Legacy containers etc etc. There are a few switches controlling the end result. Today I want to discuss a few ones, that pop up in my practice every few months: License Key and Enable Containers, and how they make (or break) your Android Enterprise Samsung deployment.

(more…)

Future of NFC provisioning for Android (Beam deprecated in Q)?

I use NFC provisioning a lot when I work with Android Enterprise (especially, the Device owner scenarios).

Apps like AirWatch Relay or Knox Deployment make testing and playing e.a.s.y. – I don’t have to tap through the Startup Wizard, type in my 20+ char WLAN PSK, manually enroll the device etc. And I can have different profiles!

Well, boys and girls, bad news. Google has deprecated Android Beam – the technology used in those apps – in Android Q.

The good news is that reading NFC tags is still supported. So you can provision Android Q via an older phone (for now).

Or, with Android 9+ you can switch to QR code. But on Android 8 and older you’d need to type the PSK manually, since the device needs to download the QR reader library before it can read the barcode 🙂

What are your thoughts? Are you using NFC provisioning? Leave a commend below!

Apple iOS User Enrollment vs Android Enterprise and the real MDM needs #WWDC2019

Every WWDC has a session called What’s New in Managing Apple Devices. This year’s one was no exception. During this session Apple presented they new take on BYOD called User Enrollment. Here’s my brief analysis and comparison with Android Enterprise. Links to the source video, slide deck and some other useful resources are below.
TL:DR : Good stuff, but fell short.

iOS 13 User Enrollment. This and other pictures form the original slide deck linked below.
(more…)

Android Q for Enterprise: Wi-Fi MAC Randomizaion

Continuing on the Android Q changes that affect the EMM. Today’s subject is the upcoming mandatory Wi-Fi MAC Randomization: what is it, how does this affect you, and what do you need to do now or later about it.

This article is based on my own exploration of the source code and may not be entirely correct. It may be updated when Q finally comes out and more details become available.

(more…)