It's becoming more difficult for organizations to allow BYOD deployments, especially among non-employee workers, but some organizations don't want to wade into mobile device management.
At the same time, organizations don't want just any device accessing their data, and this is where device attestation comes in. It allows organizations to be more hands off with mobility management without sacrificing mobile device security.
What does device attestation do?
Device attestation allows organizations to learn about the security stance of devices that are trying to connect to enterprise apps and workspaces. Admins can set the baseline security stance that they want in any device requesting access to potentially sensitive information. Device attestation tools come in the form of individual security-focused apps or SDKs that developers can integrate into their own security tools and applications.
Device attestation acts as a form of contextual access where the device must pass an inspection before the user is granted access, even if they have the correct username and password.
The device attestation offerings on the market don't all check for the same things, but in general these tools try to answer at least some of the following queries:
- Is the device up to date on security and OS updates?
- Is the lock screen and PIN or password enabled?
- Is the device encrypted?
- Is the device rooted or jailbroken?
- Does the Android device pass Google SafetyNet Attestation?
The customer's IT department gets to decide what conditions a device must pass before access is granted.
When is device attestation worth considering?
Organizations that work with third parties, such as contractors and external partners that require access to company data, should consider adopting device attestation. These non-employees might need access to the organization's secure data, but they aren't likely to let the organization install mobile device management (MDM) on their devices. This is especially true if a contractor works with multiple organizations that would all want to deploy different on-device MDM agents.
Another common use case involves BYOD deployments. Employees might like the idea of using a personal device for work, but they may not be as interested in letting their organization manage their personal device. IT professionals should note that mobile application management (MAM) deployments interact with devices in a less invasive fashion. Some MAM tools even include device attestation.
Device attestation tools in the market
For organizations that fall within the above use cases or that want to avoid managing mobile devices, there are plenty of options on the market.
Google released its SafetyNet Attestation API for Android apps in 2016. It specifically looks for device factors such as if the device is a certified device that passes the Compatibility Testing Suite, a "device with custom ROM (not rooted)," a device that shows no signs of system integrity compromise such as rooting, or if the device doesn't register due to factors such as a protocol emulating script. With the SafetyNet API, Android apps can send users notifications if their device fails, suggesting actions such as locking the device's bootloader or restoring the device to a clean factory ROM.
Duo Security's Duo Mobile app, available on iOS and Android, provides a Security Checkup that investigates devices for more basic device factors. The potentially suspicious device factors include whether the mobile OS updated, the screen lock is enabled, there are signs of jailbreaking or rooting and fingerprint is enabled. For Android devices, it builds on the Google SafetyNet API as well.
Some other device attestation offerings on the market include Samsung's Knox SDK for its OEM devices; Lookout's Mobile Endpoint Security for iOS and Android, which works with some of the biggest vendors like Microsoft, VMware and Google; and Zimperium's integration with MobileIron.