Guidelines for ensuring secure provisioning and distribution of devices

Introduction 

This article will outline some of the security prospects associated with device provisioning and distribution as well as few suggestions for security maintenance concerning this practice and the devices in question.     

The importance of securing your provisioning processes 

Corporate devices intended for distribution among staff need to be equipped with the relevant software in order for them to be able to complete their jobs.  

Preparation of these devices can include: 

• Manual set up by end users by following provided instructions (self-enrolment) 
• Manual set up by an administrator. 
• Automatic set up with zero-touch enrolment. 

Each of these methods however, come with a set of advantages and disadvantages that you need to consider before choosing the right provisioning preparation for your corporate devices. 

Steps to consider as part of the provisioning process  

As devices are not completely provisioned during the enrolment process, security monitoring of the devices may not be completely visible. Therefore, it is beneficial for the following suggestions to be considered regarding further protection during the enrolment process: 

• Only allowing the enrolment of pre-registered devices. 
• Multi-factor authentication to enable enrolment. 
• Having in place an established time frame in which users need to enrol.  

As a business leader, it will be beneficial for you to be aware about the following strategies and concerns your IT provider will consider before implementing the chosen provisioning method.  

Designation of devices  

How will the distributed devices be tracked and how will the temporary owners of the devices be tracked, in the event that an error report needs to be sent. Monitoring corporate assets is also something your IT provider needs to be concerned about.  

Different approaches for device enrolment  

Self-enrolment: End users are to independently enrol their given device into MDM. This approach is typical in BYOD arrangements. Self-enrolment generally requires users to have access to the internet risking exposure to threat actors and therefore, prior to opting for this method, multi-factor authentication should be required. Regarding this approach, it is necessary for users to accurately follow instructions and users may become subjected to social engineering attacks more frequently, increasing the possibility of device compromise.  

Admin enrolment: Administrators are responsible for preparing the devices intended for distribution which can be difficult if device distribution is large scale. Admin enrolments mitigate issues that may arise from the self-enrolment approach however, in the case that distribution is large scale, the burden that will befall upon the administrators (if it is a small team) can be overwhelming. With this approach however, exposure of the organisation’s infrastructure to potential threat actors will be limited. 

Zero-touch enrolment: This approach involves automatic enrolment of the distributed devices, enabled by the provided MDM service details upon purchase. Zero-touch enrolment simplifies and automates the large majority of admin enrolment however, co-ordination between procurement and device management is required. This approach is very advantageous for businesses to adopt in the case of device provisioning and distribution.   

Applying local configuration to devices  

Some devices cannot be provisioned automatically and instead, require manual set up. Therefore, the IT provider may apply settings locally before transferring the devices to users. The IT administrators will need to consider effective management strategies of administrative credentials as using one re-used password as an example (for a local admin account) across the entire network is a bad idea   

Distribution of the device and credentials  

Prior to distributing the devices and credentials to users, it needs to be ensured that access to corporate data is not possible. For example, delivering a device without a set password is not a secure practice and neither is distribution of a device and its password together.  

Sending device passwords out or enabling users to use their existing details with multi-factor authentication for self-enrolment upon receiving the device are safer practices. If the password intended for a specific user is received by another person, the password needs to be changed prior to using the device.  

Biometric authentication  

This form of authentication requires the end user to be present upon set up. If your organisation allows biometrics, a guidance outlining set up should be received by the users.  

Secure provisioning  

Device provisioning can be made more secure if: 

• Zero-touch enrolment is used. 
• Regarding manual enrolment, all endpoints are secure and multi-factor authentication is implemented. 
• Internal email for device distribution or enrolment credentials is used and that these credentials are changed before the device is first used. 
• Devices which have not been activated within the established time frame are more monitored.  
• Placeholder accounts are used to guarantee that expected devices are enrolled.  

About Securiwiser 

We aim to provide our clients advice concerning implementation of various specific cyber security methods, some of which will be more suitable than others depending on the business type to help ensure the cyber health of our client’s system.  

We advise our clients (whether they are individual users or business owners) regarding various cyber threats that their businesses and operating systems may face. This includes increasing trends of certain threats and prevention methods that are cost effective and time saving.   

Furthermore, business owners, employees and general users may forget to conduct regular scans to monitor the health of their operating system, which criminals can take advantage of to gain unauthorised access by exploiting unrecognised, underlying vulnerabilities.   

Securiwiser can conduct regular scans for your system and provide a detailed cybersecurity risk assessment and a cybersecurity vulnerability assessment. We can further explain detected vulnerabilities and risks in detail to