| mobile |
T1517 |
Access Notifications |
On Android devices with a work profile, the DevicePolicyManager.setPermittedCrossProfileNotificationListeners method can be used to manage the list of applications running within the personal profile that can access notifications generated within the work profile. This policy would not affect notifications generated by the rest of the device. The DevicePolicyManager.setApplicationHidden method can be used to disable notification access for unwanted applications, but this method would also block that entire application from running. |
| mobile |
T1428 |
Exploitation of Remote Services |
Configuration of per-app VPN policies instead of device-wide VPN can restrict access to internal enterprise resource access via VPN to only enterprise-approved applications |
| mobile |
T1629 |
Impair Defenses |
An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android’s accessibility features. |
| mobile |
T1629.001 |
Prevent Application Removal |
An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android’s accessibility features. |
| mobile |
T1417 |
Input Capture |
When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user. An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android’s accessibility features. |
| mobile |
T1417.001 |
Keylogging |
When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user. |
| mobile |
T1417.002 |
GUI Input Capture |
An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android’s accessibility features. |
| mobile |
T1516 |
Input Injection |
An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android’s accessibility features. |
| mobile |
T1430 |
Location Tracking |
If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device’s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. |
| mobile |
T1430.001 |
Remote Device Management Services |
If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device’s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. |
| mobile |
T1461 |
Lockscreen Bypass |
Enterprises can provision policies to mobile devices that require a minimum complexity (length, character requirements, etc.) for the device passcode, and cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. Enterprises can also provision policies to disable biometric authentication, however, biometric authentication can help make using a longer, more complex passcode more practical because it does not need to be entered as frequently. |
| mobile |
T1458 |
Replication Through Removable Media |
Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). |
| mobile |
T1513 |
Screen Capture |
Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android DevicePolicyManager.setPermittedAccessibilityServices method to set an explicit list of applications that are allowed to use Android’s accessibility features. |
| mobile |
T1632 |
Subvert Trust Controls |
On iOS, the allowEnterpriseAppTrust and allowEnterpriseAppTrustModification configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. |
| mobile |
T1632.001 |
Code Signing Policy Modification |
On iOS, the allowEnterpriseAppTrust and allowEnterpriseAppTrustModification configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. |