enterprise mobility report 4/2017 - system4u€¦ · enterprise mobility report 4/2017 . ......

Creation date: 19.5.2017

Author: System4u, s.r.o.

Enterprise Mobility Report 4/2017

System4u s.r.o. Tel.: +420 543 210 522 IČ: 26945231, DIČ: CZ26945231 Křížová 18, 603 00, Brno E-mail: [email protected] Zapsaná v obchodním rejstříku u Krajského Czech Republic www.system4u.cz soudu v Brně, oddíl C, vložka 47320.

Enterprise Mobility Report

April 2017

2

Content Content ................................................................................................................................. 2

Introduction ........................................................................................................................... 4

Summary ............................................................................................................................... 4

iOS .................................................................................................................................... 4

Android .............................................................................................................................. 4

Blackberry ......................................................................................................................... 5

Windows Phone ................................................................................................................ 6

Mobility report details ............................................................................................................ 7

iOS .................................................................................................................................... 7

Vulnerability ................................................................................................................... 7

About the security content of iOS 10.3.1 ..................................................................... 7

Apple Updates iOS to Patch Wi-Fi Vulnerability .......................................................... 7

Apple Warns Some Users iOS 10.3 May Have Re-Enabled Some Services ............... 8

Last Version: 10.3.2 ....................................................................................................... 8

Android .............................................................................................................................. 9

Vulnerability ................................................................................................................... 9

Broadcom WiFi vulnerability allows remote code execution, affects almost all Android

devices ....................................................................................................................... 9

N-day Nvidia, Android driver security flaw details revealed ......................................... 9

Trend Micro discovers vulnerability in Android debugger "Debuggerd" ......................10

Millions of Android Devices Vulnerable to Network Scan Attack ................................11

Android Security Bulletin April 2017: What you need to know ....................................12

Last Version 7.1.2 ........................................................................................................14

Blackberry ........................................................................................................................15

Vulnerability ..................................................................................................................15

Blackberry powered by Android Security Bulletin – April 2017 ...................................15

BlackBerry is the first non-Google OEM to push April security patch .........................19

Interesting Articles ........................................................................................................19

Blackberry is getting a huge refund from Qualcomm after a royalty dispute ...............19

Windows Phone ...............................................................................................................20

Vulnerability ..................................................................................................................20



April 2017

3

Windows 10 Mobile build 14393.1066 still doesn't fix vulnerability that exposes your

photos ........................................................................................................................20

Interesting Articles ........................................................................................................21

Only a subset of Windows Phones will get Windows 10 Creators Update ..................21

Windows 10 Mobile security guide .............................................................................22

MDM ....................................................................................................................................23

MobileIron ........................................................................................................................23

MobileIron Core 9.3.0.2 ................................................................................................23

MobileIron Sentry 9.0.2 .................................................................................................29

Last Version .................................................................................................................32

Airwatch ...........................................................................................................................33

VMware Airwatch 9.1 ....................................................................................................33

Last Version .................................................................................................................33

What is the Difference between MDM, EMM and UEM? ...................................................34



April 2017

4

Introduction This is the full version of System4u's Enterprise Mobility report, issued for our customers and subscribers. You can find here not only the news about security of iOS, Android, BlackBerry and Windows Phone operating systems, but also interesting articles and links from the enterprise mobility world. We cover also EMM solution MobileIron and Airwatch in this report, others EMM solutions will come in the future.

Summary

iOS Apple iOS 10.3.1 is available for iPhone 5 or later, 4th generation iPad or later and 6th

generation iPod touch or later. The update fixes WiFi vulnerability which allowed an

attacker within range to execute arbitrary code. The update also addresses a stack

buffer overflow through improved input validation. Apple's support page notes that this

update offers fix to Project Zero vulnerabilities cited by Gal Beniamini documented

under CVE-2017-6975.

Apple has sent out emails to some iOS users, informing them that the recent update to

iOS 10.3 may have enabled some on-device services after they were initially disabled

by the user. Bug in iOS 10.3 may lead to some iCloud services being re-enabled after

they were initially disabled by the user. The email suggests users should go into

Settings and check to see if any of those services they turned off have been turned

back on.

Android Google is out with its April 2017 Android security update, patching 102 different

vulnerabilities in the mobile operating system. Of the vulnerabilities patched by Google

this month, only 15 are rated as having critical impact. Not surprisingly, the media sever

component is once again being patched by Google. The Android media sever has been

patched in every Android security update issued by Google since August 2015. In the

new April update, media server accounts for 15 flaws in total, including six rated as

critical, five as high and four with only moderate impact.

A researcher from Google's Project Zero security team has revealed an exploit for

Broadcom WiFi chips that can allow an attacker to execute code on your device.

According to the exhaustive Project Zero analysis, Broadcom is missing some very

basic security measures including stack cookies, safe unlinking, and access permission

protection. Broadcom chipsets have a memory protection unit, but Beniamini found it



April 2017

5

ineffective at preventing the attack. Broadcom says its next generation of chips will

have more advanced protections.

Zimperium zLabs researchers published a blog post detailing the security flaws, two

escalation of privilege bugs found within the NVIDIA Video driver and MSM Thermal

driver. The Nvidia bug, CVE-2016-2435, impacts Android 6.0 on the Nexus 9 handset.

The problem arises when attackers craft an application to tamper with read/write

memory values and force privilege escalation. The second security flaw, CVE-2016-

2411, involves a Qualcomm power management kernel driver, the MSM Thermal

driver, in Android version 6. If an attacker crafts a malicious application, they can give

themselves root access through an internal bug in the driver, leading to privilege

escalation.

Trend Micro has found a new vulnerability that exists in phones running Android

IceCream Sandwich to Lollipop. The vulnerability in the debugging program of Android,

Debuggered, allows a hacker to view the device’s memory and the data stored on it.

You can create a special ELF (Executable and Linkable Format) file to crash the

debugger and then you can view the dumps and log files of content stored on the

memory. The glitch in itself is not a big threat but the type of data it can give a hacker

access to can lead to a difficult situation. Google is said to be working on a fix in the

next version of Android for this.

Researchers have recently discovered hundreds of vulnerable apps on Google Play

Store which are allowing hackers to inject them with malicious code which, upon

downloading, steal all data from an infected Android device. The problem, according to

the researchers is that some of the apps are creating open ports on smartphones,

which is not a new problem since the same issue was faced by computers but it is

something new when it comes to smartphone technology. A team from the University

of Michigan has tried to use a custom tool for scanning more than 24,000 applications,

and 410 of them were found to be flawed. At least one of those apps has been

downloaded so many times that there are potentially millions of Android devices which

are vulnerable.

Blackberry While companies like Samsung, LG, Huawei or Motorola are pushing March security

updates to its Android smartphones, BlackBerry has already started to roll out April

security patch. Considering the update has just been made available by Google for its

Nexus and Pixel devices, alongside Android 7.1.2 Nougat, it looks like a great

achievement on BlackBerry’s part. Besides starting to push the update to its

smartphones, BlackBerry published the Android Security Bulletin that contains all the

vulnerabilities fixed in this update. Apparently, there are quite a lot of security issues



April 2017

6

that have been addressed in this patch. Keep in mind that the update is rolled out OTA,

so if you own the BlackBerry PRIV, DTEK50 or DTEK60 smartphones, then you should

be notified when April security patch becomes available for download.

Qualcomm has to return nearly $815 million to BlackBerry for royalties the Canadian

smartphone maker overpaid between 2010 and 2015.

Windows Phone A handful of existing Windows Phone devices from Microsoft and other manufacturers

will get the Windows 10 Creators Update before the end of April. Here's what's on the

current list.

o Alcatel IDOL 4S

o Alcatel OneTouch Fierce XL

o HP Elite x3

o Lenovo Softbank 503LV

o MCJ Madosma Q601

o Microsoft Lumia 550

o Microsoft Lumia 640/640XL

o Microsoft Lumia 650

o Microsoft Lumia 950/950 XL

o Trinity NuAns Neo

o VAIO VPB051

Back in February, a security vulnerability was discovered in Windows 10 Mobile that

leaves your photos exposed to anyone that picks up your phone. With the device

locked, all you have to do is take a picture, delete it, press back, tap the thumbnail of

the image, press back again, tap the thumbnail again, and then press back and tap the

thumbnail one more time. With that simple process, you get access to the owner's full

camera roll.¨The issue still hasn't been fixed in build 14393.1066. Since this

vulnerability was discovered, it hasn't been able to replicate in preview builds of the

Creators Update.



April 2017

7

Mobility report details

iOS

Vulnerability

About the security content of iOS 10.3.1

Site: support.apple.com

Released April 3, 2017

Wi-Fi

Available for: iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation

and later

Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip

Description: A stack buffer overflow was addressed through improved input validation.

CVE-2017-6975: Gal Beniamini of Google Project Zero

Apple Updates iOS to Patch Wi-Fi Vulnerability

Site: www.securityweek.com

Apple has released an emergency security update for its iOS operating system to address a

serious vulnerability affecting the Wi-Fi component.

According to the tech giant, the flaw is a stack-based buffer overflow that allows an attacker

who is within range to execute arbitrary code on the Wi-Fi chip.

The security hole, tracked as CVE-2017-6975, has been addressed with the release of iOS

10.3.1 through improved input validation, Apple said. The update is available for iPhone 5 and

later, iPod touch 6th generation and later, and iPad 4th generation and later.

iOS 10.3.1 was released just one week after Apple announced the general availability of iOS

10.3, which brings many new features and patches for nearly 90 vulnerabilities. Roughly 30 of

these security holes were reported to Apple by Google Project Zero researchers.



April 2017

8

Apple Warns Some Users iOS 10.3 May Have Re-Enabled Some Services

Site: www.iphonehacks.com

Apple has sent out emails to some iOS users, informing them that the recent update to iOS

10.3 may have enabled some on-device services after they were initially disabled by the user.

As first reported by MacRumors, Apple has sent out emails to some iOS users, signaling that

a bug in iOS 10.3 may lead to some iCloud services being re-enabled after they were initially

disabled by the user. The email suggests users should go into Settings and check to see if any

of those services they turned off have been turned back on.

Unfortunately the email doesn’t explicitly say any one specific service that might be reactivated,

but the report does say that one user had iCloud Mail deactivated, and iOS 10.3 reactivated it:

“We discovered a bug in the recent iOS 10.3 software update that impacted a small number of

iCloud users. This may have inadvertently reenabled some iCloud services that you had

previously disabled on your device. We suggest you go to iCloud settings on your iOS device

to make sure that only the services you’d like to use are enabled. Learn more about how to

manage your iCloud settings or contact AppleCare with any questions. The iCloud team”

iOS 10.3 was launched on March 27, and Apple released iOS 10.3.1 one week after.

Last Version: 10.3.2



April 2017

9

Android

Vulnerability

Broadcom WiFi vulnerability allows remote code execution, affects almost all

Android devices

Site: www.androidpolice.com

A researcher from Google's Project Zero security team has revealed an exploit for Broadcom

WiFi chips that can allow an attacker to execute code on your device.

Gal Beniamini from Project Zero developed a method of feeding a device WiFi frames with

irregular values. This causes a stack overflow in the Broadcom firmware, and that provides an

opening to run arbitrary code on the device. The proof of concept doesn't do anything major

(and it requires the attacker to know a targeted device's MAC address), but Beniamini was

able to write values to a specific memory address. That suggests a properly motivated

individual or group could use this to hack a device.

According to the exhaustive Project Zero analysis, Broadcom is missing some very basic

security measures including stack cookies, safe unlinking, and access permission protection.

Broadcom chipsets have a memory protection unit, but Beniamini found it ineffective at

preventing the attack. Broadcom says its next generation of chips will have more advanced

protections.

This doesn't only affect Android. Apple released a patch for this vulnerability in its most recent

iOS update. On Android, it'll take a while to get devices updated. This vulnerability was fixed

in the April security patch, so there are some Android devices protected. Not very many,

though.

https://googleprojectzero.blogspot.cz/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html

N-day Nvidia, Android driver security flaw details revealed

Site: www.zdenet.com

The technical details of security vulnerabilities impacting the Nvidia Video and an Android

driver have been revealed by Zimperium, which acquired the flaws as part of an exploit

acquisition program.

Zimperium zLabs researchers published a blog post detailing the security flaws, two escalation

of privilege bugs found within the NVIDIA Video driver and MSM Thermal driver.

https://googleprojectzero.blogspot.cz/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html



April 2017

10

The Nvidia bug, CVE-2016-2435, impacts Android 6.0 on the Nexus 9 handset. The problem

arises when attackers craft an application to tamper with read/write memory values and force

privilege escalation.

The second security flaw, CVE-2016-2411, involves a Qualcomm power management kernel

driver, the MSM Thermal driver, in Android version 6. If an attacker crafts a malicious

application, they can give themselves root access through an internal bug in the driver, leading

to privilege escalation.

These bugs are well documented, known, and for the most part security updates have been

issued. However, Zimperium says that making the technical details available of these so-called

"N-day" flaws is important and can act as a catalyst to boost the speed of patch production and

to iron out problems arriving between a patch being created and vendors distributing the

update in good time.

The technical details of the N-day exploits have been previously shared through Zimperium's

Handset Alliance (ZHA), which includes Samsung, Softbank, Telstra, and BlackBerry.

Trend Micro discovers vulnerability in Android debugger "Debuggerd"

Site: techalert.pk

Trend Micro has found a new vulnerability that exists in phones running Android IceCream

Sandwich to Lollipop.

The vulnerability in the debugging program of Android, Debuggered, allows a hacker to view

the device’s memory and the data stored on it.

You can create a special ELF (Executable and Linkable Format) file to crash the debugger and

then you can view the dumps and log files of content stored on the memory.

The glitch in itself is not a big threat but the type of data it can give a hacker access to can lead

to a difficult situation.

Google is said to be working on a fix in the next version of Android for this.



April 2017

11

Millions of Android Devices Vulnerable to Network Scan Attack

Site: www.hackread.com

Researchers have recently discovered hundreds of vulnerable apps on Google Play Store

which are allowing hackers to inject them with malicious code which, upon downloading, steal

all data from an infected Android device.

The problem, according to the researchers is that some of the apps are creating open ports on

smartphones, which is not a new problem since the same issue was faced by computers but

it is something new when it comes to smartphone technology.

A team from the University of Michigan has tried to use a custom tool for scanning more than

24,000 applications, and 410 of them were found to be flawed. At least one of those apps has

been downloaded so many times that there are potentially millions of Android devices which

are vulnerable.

Researchers also stated: – “These newly discovered exploits can lead to a large number of

severe security and privacy breaches. For example, remotely stealing sensitive data such as

contacts, photos, and even security credentials and performing malicious actions such as

executing arbitrary code and installing malware remotely.”

The biggest problem lies with the apps that are used for file transfer between smartphones

and computers via WiFi. The flawed security is allowing more than just the devices’ owner to

access the transfer and the devices themselves. Furthermore, apps which allow services like

WiFi File Transfer, are estimated to have been downloaded between 10 and 50 million times.

When the Michigan team decided to scan the campus network to determine how many devices

can be found in this flaw; after only 2 minutes they were able to discover a number of vulnerable

devices.

“To get an initial estimate on the impact of these vulnerabilities in the wild, we performed a port

scanning in our campus network, and immediately found a number of mobile devices in 2

minutes which were potentially using these vulnerable apps,” according to the team.

Moreover, it was found that 57 of the 410 apps are truly vulnerable and they have even

demonstrated how the attacks work by explaining that the “app opens ports by default and no

client authentication or incoming connection notifications are engaged, which put the device

user in severe danger.”

Basically, the apps are leaving open doors for any malicious code and not many of those would

miss such an invitation. Google is yet to comment on the current situation. So far, the only way

to fix this problem would be to uninstall these apps and this should not be difficult. However,

this is something that should be fixed ASAP to avoid further problems.



April 2017

12

Android Security Bulletin April 2017: What you need to know

Site: www.techrepublic.com

The April 2017 Android Security Bulletin turned out to be yet another month with the platform

once again topping its previous number of critical flaws. Get the highlights.

Once again, the Android platform has been found to contain more critical vulnerabilities than

the previous month. In March, there were eight total critical issues and now, for April, there are

a chart-topping nine. Let's take a look at those critical flaws that are detailed in the April 2017

Android Security bulletin.

Check your security release

Before we highlight what's included with the April 2017 Android Security Bulletin, it's always

good to know what security release is installed on your device.

Let's take a look at those critical vulnerabilities affecting the Android platform.

Critical issues

Remote code execution vulnerability in Mediaserver

Critical issue remains for the oft-plagued Mediaserver. Once again we have a remote code

execution vulnerability within the Mediaserver that could enable an attacker, using a specially-

crafted file, to cause memory corruption during media file and data processing. Because of the

possibility of remote code execution, this issue has been rated as critical.

Related bugs:

A-33641588, A-33864300, A-33966031, A-34031018, A-33934721, A-34097866

Remote code execution vulnerability in Broadcom Wi-Fi firmware

Another remote code execution vulnerability has been found, this time in the Broadcom Wi-Fi

firmware. This issue could enable a remote attacker to execute arbitrary code within the context

of the Wi-Fi System on a Chip (SoC). Because of the possibility of remote code execution,

within the context of the Wi-Fi SoC, this issue has been rated as critical.

Related bug: A-34199105

NOTE: The patch for the above vulnerability is not publicly available and can be found within

the latest binary drivers for Nexus devices from the Google Developer site.

Remote code execution vulnerability in Qualcomm crypto engine driver

The Qualcomm crytpo engine driver has been found to contain a remote code execution

vulnerability that could enable a remote attacker to execute arbitrary code within the context

https://android.googlesource.com/platform/external/libavc/+/494561291a503840f385fbcd11d9bc5f4dc502b8

https://android.googlesource.com/platform/external/libhevc/+/1ab5ce7e42feccd49e49752e6f58f9097ac5d254

https://android.googlesource.com/platform/external/libhevc/+/01ca88bb6c5bdd44e071f8effebe12f1d7da9853

https://android.googlesource.com/platform/external/sonivox/+/56d153259cc3e16a6a0014199a2317dde333c978

https://android.googlesource.com/platform/external/libavc/+/33ef7de9ddc8ea7eb9cbc440d1cf89957a0c267b

https://android.googlesource.com/platform/external/libavc/+/f634481e940421020e52f511c1fb34aac1db4b2f



April 2017

13

of the kernel. Because of the possibility of remote code execution (within the context of the

kernel) this issue has been rated as critical.

Related bugs: A-34389927, QC-CR#1091408

Remote code execution vulnerability in kernel networking subsystem

A remote code execution vulnerability was located within the kernel networking subsystem

which could enable a remote attacker to execute arbitrary code within the kernel. This bug

does not affect upstream kernels, so any kernel not labeled as upstream could be affected.

Because of the possibility of remote code execution, this vulnerability has been rated as critical.

Related bugs: A-32813456, Upstream kernel

Elevation of privilege vulnerability in MediaTek touchscreen driver

The MediaTek touchscreen driver has been found to contain an elevation of privilege

vulnerability that could enable a local malicious application to execute arbitrary code within the

kernel. Because of the possibility of device compromise (which could require reflashing the

operating system to repair the device), this issue has been rated as critical.

Related Bugs: A-30202425, M-ALPS02898189

NOTE: The patch for the A-30202425 bug is not publicly available and can be found within the

latest binary drivers for Nexus devices from the Google Developer site.

Elevation of privilege vulnerability in HTC touchscreen driver

Another bug in a different touchscreen driver (this time in HTC devices) has been found to

contain an elevation of privilege vulnerability that could enable a local malicious application to

execute arbitrary code within the the kernel. Because of the possibility of device compromise

(which could require reflashing the operating system to repair the device), this issue has been

rated as critical.

Related bug: A-32089409NOTE: The patch for the A-32089409 bug is not publicly available

and can be found within the latest binary drivers for Nexus devices from the Google Developer

site.

Elevation of privilege vulnerability in kernel ION subsystem

A bug from the previous month has shown itself again. The ION Memory Allocator has been

found to contain an elevation of privilege vulnerability. This kernel vulnerability could enable a

local malicious application to execute arbitrary, malicious code within the context of the kernel.

Because of the possibility of permanent device compromise (which could require the reflashing

of the operating system), this flaw has been marked as critical.

https://source.codeaurora.org/quic/la/kernel/msm-3.18/commit/?id=bd9a8fc6d7f6bd1a0b936994630006de450df657

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=197c949e7798fbf28cfadc69d9ca0c2abbf93191



April 2017

14

Related bug: A-34276203NOTE: The patch for the A-34276203 bug is not publicly available


site.

Vulnerabilities in Qualcomm components

Two critical vulnerabilities have been found to affect Qualcomm components. These bugs are

addressed, in detail, in the Qualcomm AMSS October 2016 security bulletin.

Related bugs: A-31628601, A-35358527

NOTE: The patch for both the A-31628601 and the A-35358527 bugs is not publicly available


site.

Upgrade and update

The developers will work diligently to patch the vulnerabilities, but it is up to the end users to

ensure the fixes find their way to devices. Make sure you not only check for updates, but that

you apply them as soon as they are available. To see the full listing of vulnerabilities (which

includes a number of high and moderate issues), check out the April 2017 Android Security

Bulletin.

Last Version 7.1.2

https://source.android.com/security/bulletin/2017-04-01

https://source.android.com/security/bulletin/2017-04-01



April 2017

15

Blackberry

Vulnerability

Blackberry powered by Android Security Bulletin – April 2017

Site: support.blackberry.com

BlackBerry has released a security update to address multiple vulnerabilities in BlackBerry

powered by Android smartphones. We recommend users update to the latest available

software build.

Vulnerabilities Fixed in this Update

Summary Description CVE

Remote code execution vulnerability in Mediaserver

A remote code execution vulnerability in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing.

CVE-2017-0538 CVE-2017-0539 CVE-2017-0540 CVE-2017-0541 CVE-2017-0542 CVE-2017-0543

Elevation of privilege vulnerability in CameraBase

An elevation of privilege vulnerability in CameraBase could enable a local malicious application to execute arbitrary code.

CVE-2017-0544

Elevation of privilege vulnerability in Audioserver

An elevation of privilege vulnerability in Audioserver could enable a local malicious application to execute arbitrary code within the context of a privileged process

CVE-2017-0545

Elevation of privilege vulnerability in SurfaceFlinger

An elevation of privilege vulnerability in SurfaceFlinger could enable a local malicious application to execute arbitrary code within the context of a privileged process.

CVE-2017-0546

Information disclosure vulnerability in Mediaserver

An information disclosure vulnerability in Mediaserver could enable a local malicious application to access data outside of its permission levels.

CVE-2017-0547

Denial of service vulnerability in Mediaserver

A remote denial of service vulnerability in Mediaserver could enable an attacker to use a specially crafted file to cause a device hang or reboot.

CVE-2017-0549 CVE-2017-0550 CVE-2017-0551 CVE-2017-0552

Elevation of privilege vulnerability in libnl

An elevation of privilege vulnerability in libnl could enable a local malicious application to execute arbitrary code within the context of the Wi-Fi service.

CVE-2017-0553

Elevation of privilege vulnerability in Telephony

An elevation of privilege vulnerability in the Telephony component could enable a local

CVE-2017-0554



April 2017

16

malicious application to access capabilities outside of its permission levels.

Information disclosure vulnerability in Mediaserver

An information disclosure vulnerability in Mediaserver could enable a local malicious application to access data outside of its permission levels.

CVE-2017-0555 CVE-2017-0556 CVE-2017-0557 CVE-2017-0558

Information disclosure vulnerability in libskia

An information disclosure vulnerability in libskia could enable a local malicious application to access data outside of its permission levels.

CVE-2017-0559

Information disclosure vulnerability in Factory Reset

An information disclosure vulnerability in the factory reset process could enable a local malicious attacker to access data from the previous owner.

CVE-2017-0560

Remote code execution vulnerability in Broadcom Wi-Fi firmware

A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC.

CVE-2017-0561

Remote code execution vulnerability in Qualcomm crypto engine driver

A remote code execution vulnerability in the Qualcomm crypto engine driver could enable a remote attacker to execute arbitrary code within the context of the kernel.

CVE-2016-10230

Remote code execution vulnerability in kernel networking subsystem

A remote code execution vulnerability in the kernel networking subsystem could enable a remote attacker to execute arbitrary code within the context of the kernel.

CVE-2016-10229

Elevation of privilege vulnerability in kernel ION subsystem

An elevation of privilege vulnerability in the kernel ION subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2017-0564


Multiple vulnerabilities in Qualcomm components

CVE-2016-10237 CVE-2016-10238 CVE-2016-10239

Remote code execution vulnerability in Freetype

A remote code execution vulnerability in Freetype could enable a local malicious application to load a specially crafted font to cause memory corruption in an unprivileged process

CVE-2016-10244

Elevation of privilege vulnerability in kernel sound subsystem

An elevation of privilege vulnerability in the kernel sound subsystem could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2014-4656

Elevation of privilege vulnerability in Broadcom Wi-Fi driver

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local

CVE-2017-0567 CVE-2017-0568 CVE-2017-0569



April 2017

17

malicious application to execute arbitrary code within the context of the kernel.

CVE-2017-0570 CVE-2017-0571 CVE-2017-0572 CVE-2017-0573 CVE-2017-0574

Elevation of privilege vulnerability in Qualcomm Wi-Fi driver

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2017-0575

Elevation of privilege vulnerability in Qualcomm crypto engine driver

An elevation of privilege vulnerability in the Qualcomm crypto engine driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2017-0576

Elevation of privilege vulnerability in DTS sound driver

An elevation of privilege vulnerability in the DTS sound driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2017-0578

Elevation of privilege vulnerability in Qualcomm sound codec driver

An elevation of privilege vulnerability in the Qualcomm sound codec driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2016-10231

Elevation of privilege vulnerability in Qualcomm video driver

An elevation of privilege vulnerability in the Qualcomm video driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2017-0579 CVE-2016-10232 CVE-2016-10233

Elevation of privilege vulnerability in Qualcomm Seemp driver

An elevation of privilege vulnerability in the Qualcomm Seemp driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2017-0462

Elevation of privilege vulnerability in Qualcomm Kyro L2 driver

An elevation of privilege vulnerability in the Qualcomm Kyro L2 driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2017-6423

Elevation of privilege vulnerability in kernel file system

An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2014-9922

Information disclosure vulnerability in kernel networking subsystem

An information disclosure vulnerability in the kernel networking subsystem could enable a local malicious application to access data outside of its permission levels.

CVE-2014-3145

Information disclosure vulnerability in Qualcomm IPA driver

An information disclosure vulnerability in the Qualcomm IPA driver could enable a local malicious application to access data outside of its permission levels.

CVE-2016-10234



April 2017

18

Denial of service vulnerability in Qualcomm Wi-Fi driver

A denial of service vulnerability in the Qualcomm Wi-Fi driver could enable a proximate attacker to cause a denial of service in the Wi-Fi subsystem.

CVE-2016-10235

Elevation of privilege vulnerability in kernel file system

An elevation of privilege vulnerability in the kernel file system could enable a local malicious application to execute arbitrary code outside of its permission levels.

CVE-2016-7097

Elevation of privilege vulnerability in Qualcomm Wi-Fi driver

An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2017-6424

Elevation of privilege vulnerability in Broadcom Wi-Fi driver

An elevation of privilege vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel.

CVE-2016-8465

Information disclosure vulnerability in kernel media driver

An information disclosure vulnerability in the kernel media driver could enable a local malicious application to access data outside of its permission levels.

CVE-2014-1739

Information disclosure vulnerability in Qualcomm Wi-Fi driver

An information disclosure vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to access data outside of its permission levels.

CVE-2017-0584

Information disclosure vulnerability in Broadcom Wi-Fi driver

An information disclosure vulnerability in the Broadcom Wi-Fi driver could enable a local malicious application to access data outside of its permission levels.

CVE-2017-0585

Information disclosure vulnerability in Qualcomm Avtimer driver

An information disclosure vulnerability in the Qualcomm Avtimer driver could enable a local malicious application to access data outside of its permission levels.

CVE-2016-5346

Information disclosure vulnerability in Qualcomm video driver

An information disclosure vulnerability in the Qualcomm video driver could enable a local malicious application to access data outside of its permission levels.

CVE-2017-6425

Information disclosure vulnerability in Qualcomm USB driver

An information disclosure vulnerability in the Qualcomm USB driver could enable a local malicious application to access data outside of its permission levels.

CVE-2016-10236

Information disclosure vulnerability in Qualcomm sound driver

An information disclosure vulnerability in the Qualcomm sound driver could enable a local malicious application to access data outside of its permission levels.

CVE-2017-0586

Information disclosure vulnerability in Qualcomm SPMI driver

An information disclosure vulnerability in the Qualcomm SPMI driver could enable a local malicious application to access data outside of its permission levels.

CVE-2017-6426



April 2017

19


Multiple vulnerabilities in Qualcomm components

CVE-2014-9937 CVE-2014-9934

BlackBerry is the first non-Google OEM to push April security patch

Site: thenokiablog.com

While companies like Samsung, LG, Huawei or Motorola are pushing March security updates

to its Android smartphones, BlackBerry has already started to roll out April security patch.

Considering the update has just been made available by Google for its Nexus and Pixel

devices, alongside Android 7.1.2 Nougat, it looks like a great achievement on BlackBerry’s

part.

However, it’s not the first time that it happens because BlackBerry has much fewer Android

smartphones that must receive security updates on a monthly basis.

Besides starting to push the update to its smartphones, BlackBerry published the Android

Security Bulletin that contains all the vulnerabilities fixed in this update. Apparently, there are

quite a lot of security issues that have been addressed in this patch.

Keep in mind that the update is rolled out OTA, so if you own the BlackBerry PRIV, DTEK50

or DTEK60 smartphones, then you should be notified when April security patch becomes

available for download.

Interesting Articles

Blackberry is getting a huge refund from Qualcomm after a royalty dispute

Site: www.theverge.com

Qualcomm has to return nearly $815 million to BlackBerry for royalties the Canadian

smartphone maker overpaid between 2010 and 2015.

The decision was made out of court as part of a binding arbitration agreement. Qualcomm

says it disagrees with the decision, but the agreement is locked in and unable to be challenged.

Interest and attorney fees will also be added the total.

The dispute was over royalties BlackBerry paid in advance to Qualcomm, seemingly for use

of Qualcomm parts or patents in its smartphones. BlackBerry argued that there was suppose

to be a cap on those royalty payments that didn’t get applied at the time, while Qualcomm

argued that BlackBerry’s payments were supposed to be nonrefundable.



April 2017

20

Windows Phone

Vulnerability

Windows 10 Mobile build 14393.1066 still doesn't fix vulnerability that exposes

your photos

Site: www.neowin.net

Back in February, a security vulnerability was discovered in Windows 10 Mobile that leaves

your photos exposed to anyone that picks up your phone. With the device locked, all you have

to do is take a picture, delete it, press back, tap the thumbnail of the image, press back again,

tap the thumbnail again, and then press back and tap the thumbnail one more time. With that

simple process, you get access to the owner's full camera roll.

The issue still hasn't been fixed in build 14393.1066. Since this vulnerability was discovered,

it hasn't been able to replicate in preview builds of the Creators Update, which will begin rolling

out to phones on April 25.

Unfortunately the Creators Update won't be rolling out to all Windows phones that were

supported for the Anniversary Update (AU). Because of this, it seems likely at this point that

many devices might never receive a fix at all.

The last time that a large number of handsets were supported by the Insider Preview but not

the official update was in March, 2016, when Windows 10 Mobile started rolling out to older

devices. Phones were able to continue receiving updates for version 1511, but after the

Anniversary Update was released, there were only a handful more updates.

If this is an issue that concerns you, you can always grab the Creators Update via the Windows

Insider Program, as it's available through the Slow and Fast rings. For now, all of the devices

supported for the AU can use that method.



April 2017

21

Interesting Articles

Only a subset of Windows Phones will get Windows 10 Creators Update

Site: ww.zdnet.com

Microsoft officials have said the rollout of the Creators Update to handsets with Windows 10

Mobile will begin on April 25, two weeks after the Creators Update begins rolling out to PC

users.

Not all Windows Phones running Windows 10 are going to be eligible for the Creators

Update, however, according to my sources.

Here's an alphabetical list of phones that are expected to get Creators Update:

Alcatel IDOL 4S

Alcatel OneTouch Fierce XL

HP Elite x3

Lenovo Softbank 503LV

MCJ Madosma Q601

Microsoft Lumia 550

Microsoft Lumia 640/640XL

Microsoft Lumia 650

Microsoft Lumia 950/950 XL

Trinity NuAns Neo

VAIO VPB051

Microsoft says unsupported devices on the Release Preview ring will continue to receive

cumulative updates for the Creators Update. The new build number is 15063.251.

Unfortunately for Microsoft users, that means many popular older phones can't be upgraded.

The Lumia 535, the third-most popular Windows phone, is ineligible, as well as the eighth,

ninth, and tenth most popular phones: the Lumia 930, the Lumia 730, and the Lumia 540. The

recent Acer Liquid Jade Primo, as well as popular older phones like the Lumia 1520 are

similarly excluded. By AdDuplex's standards, 39.2 percent of all Windows phones won't be

eligible to receive the Creators Update.



April 2017

22

There is an escape hatch, however: Even officially unsupported phones can download the

Creators Update via the Windows Insider program, which puts beta builds on the phone. If

users sign up for the Release Preview, they'll essentially upgrade themselves to an "official"

release. But those phones won't be officially supported, either.

More information about Windows 10 Mobile Creators Update:

http://www.windowscentral.com/windows-10-mobile-creators-update-review

Windows 10 Mobile security guide

Very usefull guide with a detailed description of the most important security features in the

Windows 10 Mobile operating system.

Site: https://docs.microsoft.com/en-us/windows/device-security/windows-10-mobile-security-

guide

http://www.windowscentral.com/windows-10-mobile-creators-update-review

https://docs.microsoft.com/en-us/windows/device-security/windows-10-mobile-security-guide

https://docs.microsoft.com/en-us/windows/device-security/windows-10-mobile-security-guide



April 2017

23

MDM

MobileIron

MobileIron Core 9.3.0.2 New Features Summary:

MobileIron Core is a mobile management software engine that enables IT to set policies for

mobile devices, applications and content. This enables Mobile Device Management, Mobile

Application Management, and Mobile Content Management capabilities. Important Note for

Mobile@Work for Android: If your environment has devices running Android 4.1 through 4.3,

do not upgrade to Core 9.2.0.0 or greater until all impacted devices have upgraded to

Mobile@Work for Android version 9.2.0.0 or greater.

New features summary

This section provides summaries of new features developed for the current release of

MobileIron Core. References to documentation describing these features are also provided,

when available.

General features

This section summarizes new features common to all platforms or are platform-independent.

• Compliance Policies: Enhanced the customization options to mark a device as non-

compliant with the introduction of Compliance Policies. It allows administrators to define their

own criteria for marking devices non-compliant by combining dozens of device and user fields

to create non-compliant matching criteria. This feature is supported for devices belonging to

Active Directory account users. For more information, refer to the Device Management Guide

> Managing Policies chapter > Compliance Policies section.

• App Catalog: The Core App Catalog no longer lists preloaded apps. NOTE: The

administrator can always import apps that were preloaded in prior Core releases by using the

App Catalog user interface. On upgrade to Core 9.3.0.0, only formerly preloaded apps that

were assigned to labels will be listed in the App Catalog. For more information, refer to the

Apps@Work Guide.

• Enhanced User Portal functionality: Device users can identify who owns their device (the

enterprise or themselves) in the User Portal when registering their device. MobileIron Core and

Connector 9.3.0.0 Release and Upgrade Notes | 2 New features summary for more

information, refer to the Device Management Guide > Troubleshooting chapter.

• Enhanced functionality for certCheckJob: Core sends an error message (and notification

message if notifications are enabled) to the Admin and discontinues attempting to reissue a



April 2017

24

certificate until the lifetime of the issuing certificate from the CA is extended when the following

conditions occur:

- Core performs its daily maintenance check of the certificate table

- Core discovers a certificate that it can reissue

- Certificate is set to expire soon (the default is 60 days)

- Expiration date of the replacement certificate will also be within the expiry window If the CA

administrator takes no action, Core marks the certificate as expired and removes the

configuration consuming the expired certificate from the affected device(s). This feature avoids

an endless loop scenario that consumes Core processing resources, generates network traffic,

and reduces unnecessary use that can drain the device battery.

• Strict ActiveSync to device linking: Strict ActiveSync to device linking is now enabled by

default in new MobileIron Core installations. The 'Use Strict ActiveSync to Device Linking'

setting in Sentry > Preferences is set to 'Yes', i.e. enabled, by default. This means that if

Standalone Sentry cannot successfully link an ActiveSync record to a managed device record

in Core using the ActiveSync ID, Standalone Sentry will not make any additional attempts to

associate the ActiveSync record to a managed device. If 'Use Strict ActiveSync to Device

Linking' is disabled, i.e. set to 'No', Standalone Sentry makes additional attempts to correlate

the ActiveSync record to a managed device record. These additional attempts may cause

performance issues for customers who have a large number of records. Enabling 'Use Strict

ActiveSync to Device Linking' improves Standalone Sentry performance. For more information,

refer to the MobileIron Sentry Guide.

• Delegated Administration: Several features have been added for the Space Admin.

- The Space Admin can now:

- Delete apps from the space if it doesn’t exist in any other space and if the Global

Admin has not created a global app configuration for the app.

- Edit the apps in their own space.

- Edit an apps configuration but cannot change the app name, change app description,

and whether an app is available in the Android for Work container.

- Upload and import in-house and public apps in MobileIron Core.

- When a delegated admin space is removed, all the apps and their app configurations are

also removed.

- A Space column has been added to the App Catalog screen to display the space names

associated with an app.



April 2017

25

- The Global Admin has the ability to:

- Assign permission to Space Admins allowing them to manage apps in the App Catalog

within their space. - Add, edit, and delete web apps in the global space.

- Assign permission that allows a Space Admin to manage apps in the App Catalog in

their own space.

- Support for the Space Admin to add and distribute apps that originated from the Microsoft

Business Store Portal (BSP).

- When a delegated administration space is deleted the app configuration in that space is

deleted, but the app remains available in MobileIron Core. For details, see the “Delegated

Administration” chapter in the MobileIron Core Device Management Guide.

- The Apps@Work user experience is the same for a device managed in a subspace or in the

global space. For details on these Delegated Administration features, see the “Delegated

Administration” chapter in the MobileIron Core Device Management Guide.

• Device Encryption Status: is now reported on the Device Details tab. For details, see the

“Managing Devices” chapter in the MobileIron Core Device Management Guide.

Android features

This section summarizes new features specific to the Android platform.

• An HTTP proxy has been created to facilitate connections to Android for Work devices

without whitelisting Google IP addresses. For details, see the “Delegated Administration”

chapter in the MobileIron Core Device Management Guide for Android for Work Devices.

• The Push Notification Service provides Push Notification support for devices that do not have

GCM functionality. For details, see the “Working with Events” chapter in the MobileIron Core

Device Management Guide for Android Devices.

• Android security patch levels for each device are reported to MobileIron Core and displayed

on the Device Details tab of the Devices page. For details, see the “Managing Devices” chapter

in the MobileIron Core Device Management Guide for Android Devices.

• Support for Google Play inside the Samsung Knox Workspace and to enabling or disabling

hardware features in the Knox Workspace. For details, see the “Delegated Administration”

chapter in the MobileIron Core Device Management Guide for Android Devices.

• A VPN app can be designated as an Always-On VPN app in Android for Work. For details,

see the “Getting Started with Android for Work” chapter in the MobileIron Core Device

Management Guide for Android for Work.

• New settings have been added to the Samsung Knox Container:



April 2017

26

- Allow Screen Capture. The Admin can enable the feature and push it to the device.

This gives the user the ability to take a screenshot to help with troubleshooting

- Allow Remote Control used by the Federal Government to alternate provisioning the

Knox container,

- Allow NFC, and Allow USB -turns on NFC and USB so that apps that need this access

will function properly. These settings are available in the Modify Samsung Knox Container

Setting screen. For details, see the “Samsung Knox Settings” chapter in the MobileIron Core

Device Management Guide for Android Devices.

• A non-VPP licensed app will behave in a delegated administration space after the VPP

license has been removed from MobileIron Core. For details, see the “Delegated

Administration” chapter in the MobileIron Core Device Management Guide for Android

Devices.

• Support for Zebra custom configuration using XML configuration files on Zebra MC40 and

Zebra TC70 with Android 4.4 and 5.1. For details, see “Custom Configuration support for Zebra

devices” in the MobileIron Core Device Management Guide for Android Devices.

• In a delegated administration space, this release adds support for:

- Android for Work functionality for apps in a delegated administration space

- Remote Display - Applying App configurations

- Automatic update capability for apps

- Applying and removing a label

- Sending an (App) message

For details, see the “Delegated Administration” chapter in the MobileIron Core Device

Management Guide for Android Devices.

• The user now has control over which runtime permissions to grant Mobile@Work. For details,

see the “Registering Devices” chapter in the Getting Started with MobileIron Core 9.3.0.0 for

Android Devices.

iOS features

This section summarizes new features specific to the iOS platform.

• B2B (Business to Business) VPP (Volume Purchase Program) apps can now be imported

into the App Catalog from VPP accounts. For details about VPP, see “Using the iOS Volume

Purchase Program (VPP)” in the Apps@Work Guide.



April 2017

27

• MobileIron Core now provides Per app VPN support for IPsec. For details, see “Managing

VPN Settings” in the MobileIron Core Device Management Guide for iOS Devices.

• MobileIron Core now supports PIN-based, anonymous Apple DEP (Device Enrollment

Program) device enrollment. For details, see “Managing Devices Enrolled in the Apple Device

Enrollment Program” in the MobileIron Core Device Management Guide for iOS Devices.

• When enrolling DEP devices, you can configure MobileIron Core to keep iOS devices inside

the iOS Setup Assistant until Core has deployed all configuration profiles and restrictions to

the devices. This applies to devices running iOS 9 through the most recently released version

as supported by MobileIron. For details, see “Managing Devices Enrolled in the Apple Device

Enrollment Program” in the MobileIron Core Device Management Guide for iOS Devices.

• MobileIron Core supports the IKEv2 EAP only authentication method VPN setting for devices

running iOS 10 through the most recently released version of iOS as supported by MobileIron.

For details, see “Managing VPN Settings” in the MobileIron Core Device Management Guide

for iOS Devices.

• When configuring per app VPN, you can now specify whether the per-app VPN service will

tunnel traffic at the application layer (app-proxy) or the IP layer (packet-tunnel). For details,

see “Managing VPN Settings” in the MobileIron Core Device Management Guide for iOS

Devices.

• MobileIron Core supports Entrust decentralized mode with iOS Devices, allowing devices to

communicate directly with Entrust without certificates ever leaving the device. For details, see

“Managing Certificates and Configuring Certificate Authorities” in the MobileIron Core Device

Management Guide for iOS Devices.

• Core provides a new mechanism to support iOS managed app configuration, which allows

apps to get their app-specific configuration from Core rather than requiring the device user to

enter the values in the app. The new mechanism is easier for you to use than the legacy

mechanism. For details, see “iOS managed app configuration” in the Apps@Work Guide.

• MobileIron Core supports Uploading content to iBooks iOS app by the Space Admin in a

delegated adminstration subspace. For details, see the “Delegated Administration” chapter in

the MobileIron Core Device Management Guide for Android Devices.

Windows features

This section summarizes new features specific to the Windows platform.

• MobileIron Bridge Configuration Reversal: Core 9.3.0.0 introduces the ability for

administrators to set up MobileIron Bridge action scripts and scripts that will reverse those

actions for Windows 10 devices. NOTE: Some actions cannot have an undo action and

administrators will need to be aware of what actions can be undone before attempting to upload



April 2017

28

an undo script. For more information, refer to the Device Management Guide > MobileIron

Bridge chapter.

• MobileIron Bridge Reporting Enhancement: This feature is supported on only Windows 10

devices. Core reports if a script was initiated successfully by MobileIron Bridge. In addition,

this release enhances the log searches using the following fields:

- State

- Object Name

- Message

For more information, refer to the Device Management Guide > MobileIron Bridge

chapter.

• Enhanced information for W32 applications: This feature supports only Windows 10 devices.

Using MobileIron Bridge, the following enhanced information for Win32 applications is

available if application developers included the information in:

- Display Version

- Developer

- Description

For more information, refer to the Device Management Guide > MobileIron Bridge chapter.

• Enhancing device inventory: Core uses a new data feed (provided by Microsoft) to allow it

to streamline application inventory data. This helps with data costs and data size and allows

Core to report on all data for Windows 10 Mobile devices and not just App store and non-store

applications. For more information, refer to the Device Management Guide > MobileIron Bridge

chapter.

• Enterprise App Store: Multi-region support is available for searching applications in the

Windows 10 store. For more information, refer to the Device Management Guide > MobileIron

Bridge chapter.

• EDP/WIP profile name change: Use of the term, Enterprise Data Protection or EDP has been

changed to Windows Information Protection or WIP in the product and the documentation. For

more information, refer to the Device Management Guide > Azure Services chapter > Windows

Information Protection section.

• Windows License Management: Admins can upgrade working SKU on the device from:

- Pro -> Enterprise



April 2017

29

- Consumer version -> Enterprise version

For more information, refer to the Device Management Guide > MobileIron Bridge chapter.

• PassPort for Work/Windows Hello: Administrators can enhance their AAD devices to take

advantage of the Windows Hello/PassPort For Work identity passport feature. This passport

can be used as authorization to the device itself and other applications that take advantage of

the passport feature. For more information, refer to the Device Management Guide > Azure

Services chapter.

AppConnect features

This section summarize new AppConnect features common to both AppConnect for Android

and AppConnect for iOS.

• On the AppConnect global policy, the field Check for passcode strength has been renamed

to Check for AppConnect passcode strength to clarify that the passcode strength applies to

the AppConnect passcode not the device passcode. For details, see “AppConnect passcode

strength” in the AppConnect and AppTunnel Guide.

• You can now use the Core substitution variable $GOOGLE_AUTOGEN_PASSWORD$ as

the value in a key- value pair in an AppConnect app configuration. For details, see “Configuring

an AppConnect app configuration” in the AppConnect and AppTunnel Guide.

MobileIron Sentry 9.0.2 This release replaces the Standalone Sentry 9.0.0 release and addresses some security

issues.

Summary:

A flaw has been reported in MobileIron Sentry which could lead to information disclosure. This

issue affects Sentry only in a very specific configuration in combination with external services.

An information disclosure issue has been reported in MobileIron Sentry version 9.0.0 that could

cause users to access another user's mailbox. In environments where Sentry is configured for

both Trusted Front End (TFE) and Kerberos and where the front end (e.g. F5 or NetScaler) is

configured to reuse TLS sessions between it and the Sentry, users attempting to access their

mailbox may instead access another user's mailbox.



April 2017

30

This issue is resolved in Sentry 9.0.2. Customers running Sentry 8.5 are not impacted by this

issue. Customers are advised to upgrade to version 9.0.2 if they configure their Sentry to use:

Trusted Front End AND

Kerberos AND

Have a front end that has TLS session reuse enabled

In order to successfully exploit this issue, an attacker must have access to an email account

on a server protected by a Sentry that is configured for TFE and Kerberos and where the front

end will reuse the TLS session to Sentry. By default, MobileIron Core does not use these

features.

In these instances, Sentry will associate the TLS session from the front end with the first user

to authenticate over that connection. This can incorrectly lead subsequent users to access that

first user’s mailbox.

MobileIron Impact

This issue has been rated as having Medium severity by the MobileIron Security Team.

This issue affects the following MobileIron Sentry version: MobileIron Sentry 9.0.0

Please note that customers are only affected if they configure MobileIron Sentry to use:

Trusted Front End AND

Kerberos AND

Have a front end that has TLS session reuse enabled

New Features Summary:

The following are new features and enhancements in Standalone Sentry that are available for

MobileIron Core and MobileIron Cloud:

• Standalone Sentry system health data can be pushed to v MobileIron Monitor. Previously,

only audit log data could be pushed to MobileIron Monitor. Standalone Sentry treats

MobileIron Monitor as any other syslog server.

The following commands were updated:

- syslog: Added port, protocol, and facility for configuring the syslog server.

- show logging: Added port, protocol, and facility type to the output.



April 2017

31

The following commands were added:

- sentry health-monitor

- no sentry health-monitor

- show sentry health-monitor

• TCP is now a supported protocol for sending log data from Standalone Sentry to your

syslog server.

• Audit logs show the inner connections for IP Tunnel traffic. The EntryType in the log is set

to IP_VPN_CONN. An additional field, type, identifies the inner connection that was

attempted. It can be one of the two values: UDP or TCP. Correlation is done through

useCaseID of the original tunnel establishment request.

• The Cipher TLS_DHE_DSS_WITH_AES_128_CBC_SHA has been removed from the

supported list of ciphers for Sentry Server Role (Incoming SSL configuration).

• The following two new CLI commands allow administrators to verify a KCD configuration

by issuing a Kerberos ticket for a particular user.

- debug sentry kerberos request-ticket host-port <upn> <realm> <hostname> [port]

- debug sentry kerberos request-ticket spn <upn> <realm> <spn>

The Kerberos tickets issued using the debug commands are for testing and debugging

purposes only and are not cached or reused.

.• The default subnet mask that Standalone Sentry uses internally for IP tunnels has been

changed from 172.28.13.1/30 to 172.28.13.0/29. If you have a host in your internal network

with the IP address within the subnet 172.28.13.0/29, you must change the subnet Standalone

Sentry uses for IP tunneling. Contact MobileIron Support for instructions on how to change the

default subnet mask that Standalone Sentry uses for IP tunneling.

• Garbage Collection (GC) logs are enabled by default. The GC logs are automatically added

to show-tech. When you upgrade to version 9.0.0, GC logs are enabled. You can configure

GC logging via Sentry CLI commands.

MobileIron Cloud features

The following are new features and enhancements in Standalone Sentry introduced for

MobileIron Cloud:

• Advanced traffic control (ATC) can be configured on MobileIron Cloud. Administrators can

configure both domain-based as well as IP-based rules. For Standalone Sentry configured

on MobileIron Cloud, ATC rules can also be applied to IP traffic.



April 2017

32

• Physical and VLAN interface fields, as well as the DNS and hostname fields, are not

editable for a Standalone Sentry installed on Amazon Web Services (AWS) or on Microsoft

Azure. These are assigned by the AWS or the Microsoft Azure infrastructure.

• Standalone Sentry supports the tiered action feature in MobileIron Cloud. For more

information see the documentation for MobileIron Cloud.

Last Version MobileIron Core: 9.3.0

MobileIron Sentry: 9.0.2

Integrated Sentry: 6.2.1

Mobile@Work for Android: 9.3.0.2

Secure Apps for Android: 7.7.0.0

Email+ for Android: 2.3.0

Docs@Work for Android: 2.0.0

Web@Work for Android: 2.0.0

Mobile@Work for iOS: 9.1.0

Email+ for iOS: 2.4.0

Docs@Work for iOS: 2.2.0

Web@Work for iOS: 1.9.3



April 2017

33

Airwatch

VMware Airwatch 9.1 Release Highlights

Expanded support for Windows 10 including OS patch management, BitLocker encryption and

online BSP licensing

Simple and secure Android for enterprise with new deployment methods, Google Play

integrations, and more

Extension of one-touch mobile SSO across apps with unified access control

Take device actions based on defined events or conditions such as battery, memory level and

more

Windows Unified Agent 9.1 is seeded in the AirWatch Console

Complete Release notes:

https://my.air-watch.com/help/9.1/en/Content/Release_Notes/Help_Release_Notes.htm

Last Version VMware Airwatch 9.1.

AirWatch Agent for iOS 5.4.2

VMware Browser for iOS 6.2.1

VMware Content Locker for iOS 4.3

AirWatch Inbox for iOS 3.2

AirWatch Tunnel for iOS 1.3.4

VMware Boxer for OS 4.4.1

AirWatch Container 2.5

AirWatch Agent for Android 7.1.4.151

VMware Browser for Android 6.2.0.30

VMware Content Locker for Android 3.3.0.11

https://my.air-watch.com/help/9.1/en/Content/Release_Notes/Help_Release_Notes.htm



April 2017

34

AirWatch Inbox for Android 3.2.0.24

VMware Boxer for Android 4.3.0.33

AirWatch Container 3.4.0.19

What is the Difference between MDM, EMM and UEM? Site: www.42gears.com

Managing mobile devices across business operations is more critical to enterprise success

than ever before. Several categories of mobile security products like MDM (Mobile Device

Management) and EMM (Enterprise Mobility Management) have emerged to address the

problems related to data security and privacy. Here are few pointers which will explain the

basic difference between these products:

MDM (Mobile Data Management)

Is all about remotely managing devices, allowing users to perform certain prescribed tasks on

their phones and tablets. MDM includes features like device provisioning, enrollment, device

security and location tracking. It also helps in wiping the data in case the device is stolen or

lost. A basic MDM tool has the ability to enforce security policies, track inventory and perform

real-time monitoring and reporting.

From a security standpoint, this was a perfectly reasonable way to manage a company-owned

device. But some employees were not very comfortable carrying two separate devices for

business and personal use. So it was in the interest of businesses to consider employees’

demand for BYOD (Bring Your Own Device). A single device which gave employees the

flexibility and ease to shift from personal to work use, anywhere, and anytime.

The rapid growth of the smartphones, mobile applications market and the need for data

security led to the creation of Mobile Application Management (MAM) solution that limited the

management and control of specific business applications. Mobile Application Management is

like MDM, except that it’s only applied to specific applications on a device instead of the entire

device. MAM helps in creating an enterprise app store and pushing or updating necessary

apps on business devices remotely. But sometimes MAM has its own set of challenges as well.

Since every business app requires unique coding to work with each individual MAM product,

the availability of apps for a specific standalone platform can be limited.

Nonetheless, MAM was a perfect settlement between employees and employers without

compromising data security and interfering in employee privacy. But in practice, the experience

was not so great as it cannot be easily extended to support the majority of native app-store

applications. After that, there were several small development stages where the experience

got redefined with the evolution of applications such as MIM (Mobile Information Management)



April 2017

35

and MCM (Mobile Content Management). They are focused on the security of a particular

document repository where employees and employers access and share documents or files

without affecting the entire device or other applications.

EMM (Enterprise Mobility Management)

And finally, it reached the stage of EMM). EMM is nothing more than the combination of an

MDM and MAM solutions equipped with a secure container that keeps business data secure.

An EMM solution in addition to MDM offers Mobile App Management, Mobile Content

Management, App Wrapping and Containerization. EMM is a complete package of services

which offers complete data security on BYOD and COSU devices for enterprises.

While MAM and MDM solutions were going through continuous upgradations to match the

growing needs of data security in enterprises, BYOD as a concept came into picture which

allowed the end users to bring in their own mobile devices and get them enrolled into IT’s

corporate resources. BYOD is enabled through the concept of containerization, letting the IT

Admin segregate company and personal data on the same handheld. It helps the IT Admin

create encrypted, policy-enabled and distinct containers in employee’s personal devices to use

browser apps and deliver specific email and data.

Mobile Device Management (MDM), Enterprise Mobility Management (EMM) and Unified

Endpoint Management (UEM)

Simply put, the main difference between MDM and EMM is that MDM manages all the features

of the device while EMM manages the entire device. EMM provides policy compliance, app

customization, data and document security and incorporates into the network directory

services.

UEM (Unified Endpoint Management)

The move from MDM to EMM has been quite rapid as more organizations are realizing the

need to protect their networks and ensure data compliance. And with new progressive

technologies entering the global market, the world is moving towards a new set of EMM

solutions like Unified Endpoint Management (UEM) which allows the businesses to manage

all the endpoints like laptops, mobiles, tablets, PCs, printers and wearables using a single

extensive EMM solution.

enterprise mobility report 4/2017 - system4u€¦ · enterprise mobility report 4/2017 . ......

Documents