This guidance is applicable to devices running Windows 10 Mobile and was developed following testing performed on a Nokia Lumia 950 managed with System Centre Configuration Manager (SCCM) 2012 R2 with the Windows Intune Connector, ADFS 3.0 and Azure Active Directory Sync Services.
It is important to remember that any guidance points given here are just recommendations. None of the suggestions should be seen as being mandatory. They have been suggested as a way of satisfying the 12 security principles.
Risk owners and administrators should agree a configuration which balances the business requirements, usability and security of the platform. This guidance can be consulted for advice where needed.
Risk owners’ summary
To minimise risk when using Windows 10 Mobile as part of a remote working scenario, you should adopt the following architectural choices:
All data should be routed over a secure VPN to ensure the confidentiality and integrity of the traffic, and to benefit from your organisation’s protective monitoring solutions.
Your organisation’s application catalogue should be used to distribute in-house and trusted third-party applications.
Arbitrary third-party application installation from the public store should not be permitted on the device.
When configured in this way, risk owners should be aware of the following technical risks associated with this platform. These technical risks are associated to one of the 12 security principles for end user devices.
Associated security principle
Explanation of risks
Assured data-in-transit protection
The VPN is unable to negotiate a PRIME or Foundation compliant set of cryptographic algorithms. As such there is a risk that data transiting from the device could be compromised.
The VPN has no formal assurance in the UK, and currently does not support some of the mandatory requirements expected from assured VPNs. Without assurance in the VPN there is a risk that data transiting from the device could be compromised.
Assured data-at-rest protection
Windows 10 Mobile device encryption has no formal assurance in the UK, and does not support some of the mandatory requirements expected from assured full disk encryption products. Without assurance there is a risk that data stored on the device could be compromised.
It is not possible to set a passphrase to unlock the disk encryption key.
Removable storage media, such as SD cards, are not encrypted by Windows 10 Mobile even when device encryption is enabled.
Device update policy
Users can choose not to apply device updates if they have not been marked as critical. This may lead to security issues not being patched.
Administrators’ deployment guide
To meet the principles outlined in the End User Devices Security Framework, several recommendations are given in the table below.
Recommendation and Explanation
Assured data-in-transit protection
Use the native IPsec VPN client, with Always On, Allow VPN and Disable Manual Configuration settings.
If a Foundation Grade assured VPN client for this platform becomes available, then this assured client should be used instead.
Assured data-at-rest protection
Use the device’s native data encryption. The data is protected when powered off, but it is not protected when the device is powered on. Email data can be protected whilst the screen is locked.
Disable removable storage as non-application data stored on it is not encrypted.
Use a password or PIN to authenticate the user to the device. This password unlocks a key which encrypts certificates and other credentials, giving access to organisation services.
No configuration is required.
Platform integrity and application sandboxing
No configuration is required.
The platform relies on application code signing to enforce that only applications from the Windows Store, the Windows Store for Business and other appropriately signed applications are allowed to run.
Organisations can establish an application catalogue, giving users access to an approved list of in-house applications. If the Windows Store is enabled, a whitelist can be used to control which applications can be installed.
Further restrictions may be placed on functionality within apps (particularly system applications and settings) through Kiosk Mode. Applications can also be restricted at a more granular level, with permissions for specific functionality (e.g. use of the camera) restricted to only approved applications.
Malicious code detection and prevention
Disable developer-unlocking of devices so that Windows Phone will only run applications from the Store and appropriately signed line-of-business applications from the organisation.
Applications hosted in the Windows Phone store are scanned for potentially harmful or malicious activity prior to being made available for download.
The organisation app catalogue should only contain approved in-house applications which have been checked for malicious code. Content-based attacks can be filtered by scanning on the email server.
Security policy enforcement
Disable un-enrolment from the MDM service. Settings applied to the device via the MDM service cannot then be modified or removed by the user.
The phone can optionally be configured to prevent the user performing a factory reset.
External interface protection
Wi-Fi, NFC, Bluetooth, removable storage and USB file transfers can all be disabled. Disabling SD cards will also prevent access to USB removable media when connected to a Display Dock.
Disable developer-unlocking of devices to ensure that the Device Portal web interface is not enabled on the device’s network interfaces.
Windows Store apps will automatically download and install updates by default. Configure the device to automatically install updates and prompt the user to reboot at a convenient time.
Windows 10 can log security events which can be remotely retrieved.
Windows 10 Mobile devices can be locked, wiped, and configured remotely by MDM. In the event of a compromised device, a full device wipe is recommended, but it is possible to perform a selective wipe of only organisation data stored in Work Folders and in some organisation apps.
Recommended network architecture
The diagrams below show recommended ways of integrating Windows Phone devices and server components into an organisation’s network architecture.
Recommended network architecture for Windows Mobile 10 deployments using an online MDM solution
Recommended network architecture for Windows Mobile 10 deployments using an on-premises MDM
Preparation for deployment
To prepare the organisation infrastructure:
To manage devices, deploy an MDM solution which supports the required settings.
Build a provisioning package which can join the device to the MDM and apply any configuration which cannot be directly applied by the MDM.
Procure, deploy and configure other network components, including an approved IPsec VPN gateway.
Deploy ADFS and a web application proxy if using Workplace Join.
Deploy a Company Portal app signed with your organisation’s code-signing certificate, or configure the Windows Business Store.
Set up the configuration profiles for your end-user devices in accordance with the settings later in this guidance. These include VPN profiles and corresponding client certificate profiles using Simple Certificate Enrolment Protocol (SCEP).
Device provisioning steps
To provision each device to your organisation’s infrastructure:
Assign the policies to users and devices using the MDM management interface.
Add the mobile user into the MDM and assign the required access groups. If using Intune, this can be done via Azure Active Directory sync (AAD sync), configuring it to federate identity rather than synchronising passwords to the cloud.
Load the CA certificate and the user’s SSL client certificate onto the device. They should be stored in the machine store – in the TPM if available. Client certificates can be provisioned either by using a SCEP profile, directly from the provisioning terminal or using a provisioning package.
Apply the provisioning package to the device.
Supply the device to the user. If a provisioning package is not applied, the user will need to follow enrolment steps, which may include configuring workplace join, enrolling the device on an MDM and installing a company portal app from the company store.
Recommended policies and settings
This section details important security policy settings which are recommended for a Windows 10 Mobile deployment. Other settings (e.g. server address) should be chosen according to the relevant network configuration. It is important to remember that any guidance points given here are just recommendations. None of the suggestions are mandatory. Risk owners and administrators should agree a configuration which balances business requirements, usability and security. Refer to this guidance for advice where needed.
Require a password to unlock a mobile device
Require a password when the device returns from an idle state
File encryption on mobile device
Allow manual unenrollment
Allow manual root certificate installation
Allow Microsoft account
Allow adding non-Microsoft account manually
Allow settings synchronization for Microsoft accounts
Allow non-Microsoft account
Allow application store
Allow removable storage
Allow automatic connection to free Wi-Fi hotspots
Allow phone reset
Allow USB connection
Allow AntiTheft mode
Allow Wi-Fi hotspot reporting
Allow automatic updates
Auto install and reboot at maintenance time
Additional Settings (by OMA-URI suffix)
[Permitted app whitelist]
MDM policies can be used to limit the use of features such as Bluetooth, NFC, Camera and geolocation services if required by organisational policy:
Organisations should have a consistent authentication policy that applies to all users and devices that are used to access their data. You can use the published password guidance to help inform any password policy. Windows Mobile 10 then implements a number of relevant settings that should be set by the administrator to configure the device in line with that authentication policy.
For further guidance on defining an authentication policy, see the EUD Security Guidance: Authentication Policy.
Windows Mobile 10 implements a number of relevant settings that should be set by the administrator:
Minimum password length
Number of repeated sign-in failures to allow before the device is wiped
Minutes of inactivity before screen turns off
Required password type (including number of character sets)
In Windows 10 Mobile, the user’s passcode is not used as a source of entropy for data at rest encryption, so improving password entropy provides no additional cryptographic strength against offline attacks.
A VPN profile should be configured to negotiate the following parameters. Some of the configuration must be performed on the VPN server. Where possible, the profile below should be delivered by MDM.
The OMA-URI settings above ensure that the VPN is configured to be in an always-on mode, and that the user cannot manually modify the settings.
Use user certificates (provisioned using SCEP) over EAP-TLS
Send all traffic through the VPN
IKE DH Group
IKE Encryption Algorithm
IKE Hash Algorithm
IKE Authentication Method
This configuration differs from that of other End User Devices as Windows 10 Mobile does not support the PRIME and Foundation cryptographic profiles. A secondary VPN server or configuration may therefore need to be configured to run in parallel if other devices are being deployed.
The following points are in addition to the common organisation considerations, and contain specific issues for Windows Mobile 10 deployments.
Windows Store and Windows Store for Business
The configuration given above prevents users installing applications from the Windows Store.
The Windows Store for Business allows organisations to make bulk purchases of apps for their employees. It provides a private store that can include apps from the public Windows Store as well as an organisation’s own Line of Business apps. When combined with a “Require private store only” MDM configuration, this can be an effective way of controlling which apps can be installed on a device.
It is still possible to distribute Line of Business apps using the Company App and Windows Intune or other compliant MDM solutions. These mechanisms usually need access to the Windows Store to install publicly available applications. If the Microsoft account is enabled to provide access to the Store, there are no organisation controls to disable Cloud backup or the ‘Find my Phone’ feature.
Mobile device management
Some of the recommended policies above are only available when using an MDM that supports the Open Mobile Alliance (OMA) device management protocol. For example, SCCM with the Windows Intune Connector.
It is essential that system architects evaluate which policies their MDM solution will allow them to set. MDM solutions that cannot set all the policies specified in the policy recommendations section should not be considered for use.
Provisioning of Windows 10 Mobile devices via MDM solutions which require cloud based interaction are intrinsically dependent on the vendor’s online services. You should consider the risk of placing the security and control of your devices and data at the mercy of a third party.
If you choose to use cloud based services such as OneDrive, you can use our Cloud Security Guidance to help you understand both the benefits and risks of online services. The security claims made for Microsoft consumer services (such as OneDrive) and Microsoft enterprise services (such as OneDrive for Business) may be different.
The Store and default Mail applications will not function if the Microsoft account is disabled as recommended above. Access to corporate email, and organisation apps are not affected by this.
Microsoft Display Dock
Windows 10 Mobile devices are able to function more like a desktop computer when used with a Microsoft Display Dock connected via USB and the Continuum app. The dock can be connected to an external monitor, with optional keyboard and mouse, allowing the phone to run modern apps as if they were running on the desktop version of Windows 10.
This technology will be most safely used when the device is configured as above to disable developer mode and prevent data sync over USB. Procedural controls to only use a corporately-owned Display Dock will reduce the risk further.
The phone has access to any USB drives plugged into the dock when the device is unlocked. This functionality is disabled by same MDM setting that restricts the use of SD cards on the mobile device.
Enterprise Data Protection
Windows 10 Mobile introduces an early version of Enterprise Data Protection (EDP). It is designed to tag enterprise data and apps, and reduce the risk of accidental disclosure of that sensitive data through services which are not controlled by the enterprise. This feature is currently in Beta release (as of July 2016) and can be tested now. Once this feature is fully released later this year, organisations should enable it in production by following the guidance below.
With EDP, Enterprise data is encrypted under lock, which improves the stance of the data at rest security principle. It can protect the decryption key with the device unlock PIN or biometric, which is backed by hardware. Data protected by EDP can be erased by the enterprise without the need to do a full device wipe.
EDP can be run in a number of modes, which can:
– block all data sharing between enterprise and non-enterprise apps
– alert the user before data is copied to a non-enterprise app
– silently audit the data sharing
– disable the sharing restrictions
The following settings were tested on the pre-release version of EDP. They should be applied to devices once EDP is fully released.
App management mode
Silent or Off
Allow the user to decrypt data that was created or edited by the configured apps apps
Protect app content when the device is an a locked state for the configured apps
Additional Settings (by OMA-URI suffix)
Read more here:: NCSC Guidance