Device Compliance with Identity Manager – the less obvious implementation details

Everyone likes the idea of Device Compliance checks. It allows us to differentiate between Company-issues, BYOD-enrolled, private and totally foreign devices, assess their security posture and execute access decisions based on this vital data, expanding our Conditional Access options. It is also extremely easy to use, just like that (VIDM Admin Console):

Device Compliance can be easily added to any authentication method …yes

Right?

Wrong! Try it yourself and see if it works. In this post we will discuss some of the less obvious, but perfectly logical restrictions that Device Compliance imposes on your selection of authentication methods.

(more…)

Google Play Managed iFrame in Workspace ONE UEM (AirWatch) – App Collections

In two previous posts dedicated to the Managed Google Play iFrame we have covered Private Apps and Web Apps. The last feature of the iFrame interface is called Collections and allows you to organize the Work Play Store app layout, as well as shoot yourself in the foot a few times…

(more…)

Google Play Managed iFrame in Workspace ONE UEM (AirWatch) – Private Apps

In this post I will show a simple way to manage Private (Internal) Android Applications in Managed Play Store with WorkspaceONE UEM (AirWatch) using the Play Store Managed iFrame. This is important since it’s basically the only way to push Private apps to Android Enterprise Work Profile or COPE devices.

(more…)

Securing work contacts while keeping caller ID 03: iOS with Boxer

I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?”

In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).

Table of contents:

(more…)

Securing work contacts while keeping caller ID 02: Android

I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?”

In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).

Table of contents:

(more…)

Securing work contacts while keeping caller ID 01: Android vs iOS

I had a week of customer meetings, each (literally!) asking the same question: “How can I prevent WhatsApp from grabbing the corporate contacts on my device?” This happens more often than you think – the infamous GetContact collected over 3.5B contacts in just a few months, all of which were officially available for sale! With GDRP in effect, how much could this cost?

Of course, both iOS and Android offer means to securely lock down enterprise data on BYOD devices. But this comes at a price of usability, the most cited problem being the caller it. We know that in the modern day an unhappy and discomforted user is essentially a backdoor waiting to happen. How can we keep this balance between security and productivity?

In this series of posts we will explore the options of deploying corporate email/contacts/calendars with the goal of maximal work/personal contact separation, while trying to minimally impair the user experience (such as the Caller ID).

We will explore several approaches, their limitations and shortcomings for iOS and Android. This post lays the foundations and provides a TL:DR style summary/comparison of my current findings.

Table of contents:

(more…)

Do non-overlapping channels overlap?

We all know the “non-overlapping” channels 1/6/11 in 2.4GHz (5GHz matter is similar). Do they really not overlap? I keep bumping into this in conversations, and would like to create a point of reference (with pictures) instead of having to repeat same old over and over.

BW- 2m away from AP
Your typical “non-overlapping” 1/6/11 setup

Since we a dealing with broadband technology, the signal is in reality not 100% contained within the allocated 20Mhz band – we only see the tip of the iceberg. Here’s the official 802.11 20-Mhz OFDM channel spectral mask. Note that the “20Mz” channel actually goes up to 30Mhz in every direction (60Mhz total width), albeit up to -45dB weaker, than the central 20Mhz flat part.

Wi-Fi Spectral Mask - Single Channel
802.11 OFDM transmit spectral mask. Power levels are relative to the signal strength in the center.

Now, let’s combine the masks for all the “non-overlapping” together and enjoy the view.

Wi-Fi Spectral Mask - 1-6-11
Spectral masks combined together in 2.4GHz space. Can someone draw me picture with three icebergs please?

Of course, if the APs are spaced far enough, the effect of side bands will be negligible: if I already hear the AP’s central frequency at -87dBm, hearing the sidebands at another 20-26dB lower will do well below the sensitivity threshold. However, if this is not adhered to, here’s a spectrum analyzer capture of channels 1 and 11. Can you see the AP in channel one? What chances are for it to be heard?

Spectrum - 24GHz Ch1 Ch11 overlap
“Non-overlapping” channels 1 and 11.

Summary:

  • Even non-overlapping channels overlap
  • Maintain separation. Either calculate using tools or use 3-5m as a rule of thumb (better use tools!)
  • Stacking APs on top of each other to provide triple density seems a good idea but only works if you are Xirrus, but even they stopped doing it, as far as I know.
  • 2.4GHz is dead, move all enterprise networks to 5.

Hope this clarifies the matter enough. If this useful enough to use as a point of reference when explaining the matters to others? Let me know your thoughts!