- 31 Mar 2023
- 3 Minutes to read
- DarkLight
- PDF
Data Loss Protection (DLP)
- Updated on 31 Mar 2023
- 3 Minutes to read
- DarkLight
- PDF
Data is likely one of your organization's most valuable and sensitive assets. These data may contain intellectual property, customer information, customer correspondence and much more.
While the core Trusted Access solution is designed to only allowed trusted users on trusted and safe devices to access such data, how do you prevent intentional or accidental mishandling of it by end users?
While we all want to trust our users to always do the right thing, the ubiquity of easy-to-use and convenient consumer technologies and services makes it too easy to conduct work in unsanctioned ways.
Many orgnizations are in a position where they will tolerate this risk in the name of helping ensure employees are productive using the tools of their choice, even if some data "leaks" here and there. However, in regulated and larger organizations, the risk and volume of these "leaks" cannot be overlooked so controls must be put in place.
If your organization falls into the latter camp, Jamf's platform is able to enable IT to enforce DLP controls at multiple levels.
OS and App Level
Mobile Device Management is able to provide a foundational level of DLP on most device platforms. The controls enable and enforce functions provided by the device's operating system to limit the flow of data per the organization's requirements.
Crucially these capabilities do vary significantly by platform, and even by deployment mode. For example, a supervised corporate owned iOS device can be far more locked down than a BYOD User Enrolled device.
Just because a BYO device cannot be locked down "as much" as a corporate-owned device, this doesn't mean you cannot enforce effective DLP controls on personally-owned devices.
Specifically, DLP and resource access control must be considered in tandem. It is crucial that company data is only available to the organziation managed portion of the device, and not to an authorized user on the personal side of the device. This is achieved by Enabling Access for Trusted Devices, which specifically provides access to the organization-managed portion of the device and not personal side of the same physical device.
Once you deliver this access paradigm, the DLP controls provided by both iOS/iPadOS and Android Enterprise on BYO devices ensures protected data in the organziation partion cannot be moved elsewhere.
Examples of some DLP controls include:
- Copy/Paste controls (pasteboard) between managed and unmanaged apps
- "Open In" controls between managed and unmanaged apps
- AirDrop controls
- Disable screen recording, screenshots, and screen sharing
- iCloud data syncing controls
- Ability to add/remove accounts in system apps
- Ability to add/remove VPN configurations
- Camera controls
- Prevent the installation of specific apps
- Force encrypted backups
- Manage data shown on lock screens / notifications
See these resources for detailed capabilities by platform:
Refer to you device platforms's MDM documentation for configuring these restrictions across your organization's supported devices.
Removable Storage Devices
While device management can provide very basic external mass storage (e.g. USB drives, thumb drives) controls, Jamf Protect enables administrators to apply far more granular usage policies.
For example, USB mass storage devices can be allowed or denied based upon their encryption state or even manufactuer.
See Jamf Protect Removable Storage Controls documentation for detailed configuration steps and available policies.
Network Level
Network level DLP can be broadly approached in three ways: resource access control, deep packet inspection (DPI), and remote browser isolation (RBI).
Resource Access Control
This approach simply takes an approach of blocking sites, apps, or services that are not allowed by the organization. For example, an IT team may block an unsanctioned cloud-based file syncing service from being accessible to corporate managed devices.
This is accomplished using Block Policy Sites and Categories through traffic management technologies like DNS, DoH or VPN, available via the Jamf Security Cloud.
This is known as managing access to "Shadow IT" services. This approach works to limit access to the main known services, but the lacks the ability to control access to enterprise versus personal tenants withing a cloud service (e.g. Dropbox, Google).
Deep Packet Inspection (DPI)
See Deep Packet Inspection for details.
Remote Browser Isolation (RBI)
See Remote Browser Isolation for details.