MobileIron Platform Security


Dec 9, 2013 (3 years and 4 months ago)


- 1 -
© 2010 MobileIron

Platform Security

Technical Brief
MobileIron devotes significant attention to security across all phases of product design and deployment, with a
focus on ensuring that, as a hardened appliance intended for deployment in the DMZ, the MobileIron VSP is
protected from external attacks and unauthorized internal access. Our approach to ensuring this level of security
employs the following industry-standard requirements:
• Hardened operating system
• Tightly-coupled components
• Controlled administrative access
• User credential protection
• Secure client-server communications
• Continuous vulnerability assessment and security updates
Hardened Operating System
The MobileIron VSP operating system is based on the current release of CentOS v5.4, a standard, stable,
enterprise-class Linux distribution. To ensure that standard components of the distribution cannot be used to
compromise the solution, we strip down the packages and include only the minimum set of RPMs necessary for
operation of the system. Any OS components that are not required for the MobileIron application are removed,
including debuggers, compilers (and other developer-oriented tools), and administrative functions common to
mainstream Linux implementations. Unnecessary ports are also disabled; by default, only port 22 is open until
the administrator completes the VSP configuration.
Tightly-Coupled Components
The operating system is tightly coupled with the application and database servers, ensuring that each
component can be used only for its intended purpose:
• The Tomcat server binds to the Linux loopback interface and cannot be addressed directly over the
• The Apache HTTP server sits in front of the Tomcat server and permits only certain URLs to be accessed.
• No direct access is granted to the MySQL database without root privileges.
Controlled Administrative Access
All admin-level access can be configured to occur via SSH (CLI) or HTTPS (Web UI) and is controlled by a granular,
role-based access scheme. We also recommend customers enable access to these ports only on an internal
network. If that is not possible, administrators can set system-level ACLs to allow only inbound requests from
the internal network. Administrators can authenticate via an internal database or through an Active
Directory/LDAP server.

- 2 -
© 2010 MobileIron

MobileIron Platform

User Credential Protection
AD passwords are cached and encrypted with a 256-bit AES key. The key for each password is chosen randomly
from a ring of 5 keys. Additionally, the system stores a SHA-256 hash of each password. Passwords for
administrative accounts stored in the local database are encrypted using the same scheme. Note that we do not
store AD credentials by default. The option to cache AD credentials can be enabled by the system administrator
to simplify configuration of corporate services (i.e., Exchange, Wi-Fi, and VPN).
Secure Client-Server Communication
Given the nature of mobile devices and their connection to the public, client/server communication is of
particular concern. All communication occurring between the VSP and a managed device occurs over a TLS
tunnel that is encrypted with a 128-bit AES key. By default, MobileIron supports the use of self-signed
certificates so customers can quickly evaluate the solution, but customers are encouraged to upload their
corporate certificates for production deployments.
Email transfers between devices and corporate email servers can be configured for routing through the
MobileIron Sentry Standalone component. All email interactions in this configuration are handled via TLS.
Continuous Vulnerability Assessments and Security Updates
MobileIron continuously monitors various sources for potential vulnerabilities. With every release, we evaluate
all components to determine which updates are required, and we update the OS or individual RPMs to address
security or other concerns. We also provide software patches for any critical security issues as necessary.
MobileIron recognizes that we play an important role in establishing a secure environment for managing
enterprise-enabled mobile devices. With that role comes the responsibility to mitigate possible security risks and
vulnerabilities across our entire solution. Our rigorous design principles, best practices development, and
continuous support ensure the security necessary to protect enterprise assets.