ワンクリックで
mobile-device-management
BYOD policy, personal device security, endpoint protection, and mobile app security
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
メニュー
BYOD policy, personal device security, endpoint protection, and mobile app security
Codex または Claude でインストール この Prompt をコピーして Codex、Claude、または他のアシスタントに貼り付けると、Skill ページを確認してインストールできます。
SOC 職業分類に基づく
GitHub Agentic Workflows (gh-aw) - markdown-based AI automation with 5-layer security, safe outputs, and Continuous AI patterns
gh-aw CLI usage, compilation, testing, debugging, add-wizard, and CI/CD practices for GitHub Agentic Workflows
Multi-agent coordination, orchestrator-worker patterns, /plan decomposition, and project coordination for GitHub Agentic Workflows
5-layer defense-in-depth security for GitHub Agentic Workflows - safe outputs, threat detection, AWF firewall, and zero-trust patterns
Continuous AI patterns from Agent Factory - issue triage, documentation sync, code quality, security scanning, and project coordination
GDPR compliance including privacy by design, data protection requirements, consent management, right to be forgotten, and data breach response
| name | Mobile Device Management |
| description | BYOD policy, personal device security, endpoint protection, and mobile app security |
| license | Apache-2.0 |
| version | 1.0 |
| author | Hack23 AB |
| tags | ["mobile-device-management","byod","endpoint-protection","mobile-security","device-encryption"] |
| category | security |
| frameworks | ["ISO 27001:2022","NIST CSF 2.0","CIS Controls v8.1"] |
| related_policies | ["Mobile_Device_Management_Policy.md","Access_Control_Policy.md","Cryptography_Policy.md"] |
This skill enforces mobile device management (MDM) controls for BYOD (Bring Your Own Device) environments, personal device security requirements, and endpoint protection. Based on Hack23 AB's Mobile Device Management Policy, it demonstrates enterprise-grade MDM without enterprise infrastructure.
Key Principle: "BYOD means 'Bring Your Own Disaster'—but only if devices remain unmanaged."
This skill covers:
Mobile device controls you MUST implement:
📱 Device Enrollment & Policy
mdm_requirements:
enrollment:
pre_enrollment:
- device_assessment: verify_os_version_and_security_status
- ownership: personal_device_acknowledged
- consent: user_agrees_to_MDM_policies_and_remote_wipe
enrollment_platforms:
aws_workmail:
email_access: mdm_profile_required_for_corporate_email
enforcement: email_not_delivered_until_enrolled
alternative_mdm:
intune: supported_for_future_employee_devices
jamf: supported_for_ios_macos_fleet
workspace_one: supported_for_enterprise_deployment
policy_enforcement:
mandatory_controls:
- device_encryption: full_device_encryption_required
- screen_lock: automatic_lock_5_minutes_maximum
- passcode_complexity: 6_digit_minimum_or_biometric
- os_updates: critical_security_patches_within_30_days
- jailbreak_detection: rooted_jailbroken_devices_blocked
🔐 Encryption & Authentication
device_security:
encryption:
ios_devices:
- device_encryption: enabled_by_default_ios_8_and_later
- verification: mdm_reports_encryption_status
- backup_encryption: icloud_backup_encrypted
android_devices:
- device_encryption: mandatory_android_10_and_later
- verification: mdm_checks_encryption_status
- sd_card: external_storage_encrypted_if_used
workstations:
- ubuntu_luks: full_disk_encryption_mandatory
- windows_bitlocker: required_for_windows_devices
- macos_filevault: required_for_mac_devices
authentication:
mobile_devices:
- screen_lock: biometric_preferred_pin_backup
- timeout: 5_minutes_idle_maximum
- failed_attempts: 10_attempts_before_wipe_or_lockout
mfa_requirements:
- totp: google_authenticator_or_authy_required
- hardware_tokens: yubikey_for_critical_systems
- sms_backup: acceptable_but_not_primary_method
📲 App Management & Containerization
application_control:
corporate_email:
approved_email_apps:
- ios_native_mail: with_aws_workmail_mdm_profile
- android_gmail: with_workmail_integration
- outlook_mobile: with_workmail_configuration
data_separation:
- corporate_container: email_calendar_contacts_isolated
- personal_data: unaffected_by_selective_wipe
- copy_paste: restricted_from_corporate_to_personal_apps
business_apps:
approved_list:
- authenticator: google_authenticator_authy_microsoft
- secure_messaging: signal_for_confidential_communications
- cloud_access: aws_console_github_mobile
- vpn: wireguard_openvpn_for_network_access
prohibited_apps:
- file_sharing: dropbox_personal_google_drive_personal
- messaging: whatsapp_telegram_for_business_data
- vpn: free_untrusted_vpn_services
- remote_access: teamviewer_anydesk_without_approval
☁️ Remote Wipe & Device Loss
remote_management:
wipe_capabilities:
selective_wipe:
scope: corporate_email_contacts_calendar_only
trigger: device_loss_employment_termination
user_impact: personal_data_photos_apps_unaffected
process:
- aws_workmail_console: select_device_initiate_wipe
- verification: confirm_wipe_completion_within_24_hours
- documentation: record_in_incident_response_log
full_device_wipe:
scope: entire_device_factory_reset
trigger: theft_suspected_compromise_high_risk_scenario
user_impact: all_data_lost_device_unusable
process:
- find_my_iphone: ios_devices_remote_wipe
- find_my_device: android_devices_remote_wipe
- mdm_console: enterprise_mdm_full_wipe_command
device_loss_procedure:
immediate_actions:
- within_30_minutes:
- disable_credentials: aws_github_google_accounts
- initiate_wipe: selective_or_full_based_on_risk
- change_passwords: all_accounts_accessed_from_device
follow_up_actions:
- within_24_hours:
- review_logs: check_for_unauthorized_access
- notify_stakeholders: inform_clients_if_data_exposure_risk
- update_asset_register: mark_device_as_lost_stolen
- police_report: file_if_theft_suspected
📊 Monitoring & Compliance
compliance_monitoring:
mdm_dashboards:
aws_workmail_console:
metrics:
- device_enrollment_status: active_pending_blocked
- encryption_compliance: percentage_encrypted_devices
- os_version_currency: devices_within_30_day_update_window
- policy_violations: jailbreak_attempts_screen_lock_disabled
review_frequency:
- daily: critical_alerts_jailbreak_encryption_disabled
- weekly: os_update_status_app_compliance
- monthly: full_mdm_compliance_report_and_documentation
device_health_checks:
automated_checks:
- encryption_status: mdm_verifies_daily
- os_version: alert_if_30_days_behind_latest
- jailbreak_detection: immediate_alert_and_block
- malware_detection: os_native_av_plus_mdm_scanning
manual_verification:
- quarterly_audit: physical_inspection_of_device_security
- annual_review: update_mdm_policies_based_on_threats
Mobile device practices you MUST NOT do:
❌ Unmanaged Device Access
prohibited_practices:
- email_without_mdm: accessing_corporate_email_on_unenrolled_devices
- jailbroken_devices: using_rooted_jailbroken_devices_for_business
- outdated_os: devices_more_than_60_days_behind_security_patches
- disabled_encryption: turning_off_device_encryption_for_any_reason
- shared_devices: using_shared_family_devices_for_corporate_access
❌ Insecure Practices
dangerous_behaviors:
- public_wifi: accessing_sensitive_data_without_vpn_on_public_networks
- sideloading_apps: installing_apps_from_untrusted_sources
- disabled_screen_lock: removing_passcode_biometric_authentication
- unsecured_backup: unencrypted_backups_to_computers_or_cloud
- app_permissions: granting_excessive_permissions_to_untrusted_apps
❌ Data Leakage
prohibited_data_handling:
- unencrypted_storage: storing_corporate_data_in_personal_cloud_apps
- screenshot_sharing: taking_screenshots_of_sensitive_corporate_data
- personal_messaging: forwarding_corporate_emails_to_personal_accounts
- unsecured_forwarding: auto_forwarding_work_email_to_personal_email
- file_attachments: downloading_sensitive_files_to_personal_storage
Scenario: Enrolling personal iPhone for corporate email access.
# iOS Device MDM Enrollment
device_enrollment:
device_info:
model: iPhone_14_Pro
os_version: iOS_17.2
ownership: personal_device
purpose: corporate_email_and_mfa
pre_enrollment_checklist:
- device_backup: icloud_backup_completed_before_mdm
- os_update: ios_updated_to_latest_version
- find_my_iphone: enabled_for_remote_wipe_capability
- passcode: strong_passcode_configured_6_digits_minimum
enrollment_process:
step_1_aws_workmail_setup:
- open_settings: navigate_to_mail_accounts_add_account
- select_exchange: enter_hack23_com_email_address
- accept_mdm_profile: tap_install_when_prompted
- authenticate: enter_email_password_accept_mfa_challenge
step_2_mdm_configuration:
policies_applied:
- device_encryption: verified_enabled
- screen_lock: automatic_after_5_minutes
- passcode_requirement: 6_digit_minimum_enforced
- jailbreak_detection: enabled_will_block_if_detected
- app_restrictions: corporate_data_containerized
step_3_verification:
- send_test_email: verify_email_delivery_to_device
- check_calendar: confirm_calendar_sync_working
- test_screen_lock: ensure_automatic_lock_activates
- mdm_console: verify_device_shows_compliant_in_aws_workmail
post_enrollment:
security_configuration:
- install_authenticator: google_authenticator_for_mfa
- configure_vpn: wireguard_vpn_for_aws_console_access
- install_approved_apps: signal_aws_console_github_mobile
- test_remote_wipe: verify_find_my_iphone_accessible
user_training:
- data_separation: explain_corporate_vs_personal_data
- remote_wipe: acknowledge_selective_wipe_capability
- incident_reporting: know_procedure_for_device_loss
- policy_compliance: review_mobile_device_policy
Result: ✅ Compliant - Device enrolled with full MDM protection
ISO 27001:2022 Mapping:
Scenario: Setting up Android work profile for data separation.
# Android Work Profile Configuration
android_work_profile:
device_info:
model: Samsung_Galaxy_S23
os_version: Android_14
ownership: personal_device
byod_approach: work_profile_for_separation
work_profile_setup:
enrollment:
- install_company_portal: download_from_google_play_if_using_intune
- configure_email: add_exchange_account_prompts_work_profile
- accept_policies: agree_to_mdm_enrollment_and_remote_wipe
profile_configuration:
work_container:
apps:
- gmail: work_profile_version_for_corporate_email
- calendar: work_profile_calendar_for_business
- contacts: work_profile_contacts_separate_from_personal
- authenticator: work_profile_google_authenticator
security:
- separate_encryption: work_profile_encrypted_independently
- separate_lock: work_profile_can_have_different_password
- data_isolation: work_apps_cannot_access_personal_data
personal_container:
apps:
- gmail: personal_gmail_unaffected_by_mdm
- photos: personal_photos_not_visible_to_work_profile
- social_media: personal_apps_separate_from_business
protection:
- unaffected_by_selective_wipe: personal_data_safe
- no_corporate_access: personal_apps_cannot_access_work_data
security_controls:
enforced_policies:
- work_profile_encryption: mandatory_for_enrollment
- screen_lock: required_after_5_minutes_idle
- password_complexity: 6_character_minimum
- device_admin: mdm_has_device_admin_permissions
- remote_wipe: selective_wipe_removes_work_profile_only
monitoring:
- compliance_checks: mdm_verifies_work_profile_security_daily
- policy_violations: alerts_if_rooted_or_policies_disabled
- app_inventory: mdm_tracks_apps_in_work_profile_only
Result: ✅ Compliant - Strong data separation with work profile
Benefits:
Scenario: iPhone stolen from restaurant table, immediate response required.
❌ Initial Situation:
# CRITICAL INCIDENT - Device Theft
incident_details:
date_time: 2026-02-10_19:30_UTC
location: restaurant_stockholm_sweden
device: iPhone_14_Pro_MOB-001
circumstances: left_on_table_during_bathroom_visit_stolen
data_at_risk:
- corporate_email: 6_months_of_client_communications
- aws_console: mobile_app_logged_in_with_session
- github: mobile_app_with_push_notifications
- signal: encrypted_messages_with_clients
- authenticator: totp_tokens_for_all_business_accounts
✅ Immediate Response (Within 30 Minutes):
# PHASE 1: Credential Lockdown
credential_actions:
- 00:00_discovery: realize_phone_missing_immediately_report
- 00:05_passwords:
- aws: change_root_and_iam_user_passwords
- github: change_password_revoke_active_sessions
- google: change_password_revoke_device_sessions
- email: change_aws_workmail_password
- 00:10_mfa_reset:
- disable_totp: temporarily_disable_totp_on_all_accounts
- use_backup_codes: switch_to_backup_authentication_codes
- hardware_token: use_yubikey_as_primary_mfa
- 00:15_device_control:
action: initiate_full_device_wipe
method: find_my_iphone
steps:
- login_icloud: from_workstation_browser
- select_device: iPhone_14_Pro
- initiate_wipe: full_device_erase_selected
- activation_lock: mark_as_lost_with_message
aws_workmail_action:
- login_console: aws_workmail_admin_console
- select_device: MOB-001_iPhone_14_Pro
- selective_wipe: remove_corporate_email_calendar_contacts
- block_device: prevent_future_enrollment_from_this_device_id
# PHASE 2: Monitoring & Investigation
follow_up_24_hours:
- review_logs:
- aws_cloudtrail: check_for_unauthorized_console_access
- github_audit_log: review_repository_access_attempts
- email_logs: check_for_sent_emails_after_theft
- assess_exposure:
- data_classification: mostly_HIGH_some_CRITICAL_client_data
- breach_notification: assess_gdpr_breach_notification_requirement
- client_impact: determine_if_client_notification_needed
- documentation:
- incident_log: record_in_incident_response_plan
- asset_register: update_device_status_to_STOLEN
- risk_register: update_device_theft_risk_with_actual_incident
- police_report: file_theft_report_with_local_police
- recovery:
- procurement: order_replacement_iPhone
- restore: restore_from_icloud_backup_to_new_device
- re_enroll: enroll_new_device_in_aws_workmail_mdm
- verify: confirm_all_security_controls_active
# PHASE 3: Lessons Learned
improvements:
- policy_update:
- restaurant_policy: no_devices_left_unattended_in_public
- screen_lock_timeout: reduce_to_2_minutes_for_public_spaces
- critical_app_review: remove_aws_console_from_mobile_device
- technical_controls:
- bluetooth_tracker: attach_airtag_to_phone_case
- screen_lock_reminder: enable_ios_attention_aware_feature
- backup_frequency: increase_icloud_backup_to_daily
Result: ✅ Incident Contained - Data exposure prevented through rapid response
Key Takeaways:
This skill implements controls from:
ISO 27001:2022 Controls:
NIST CSF 2.0 Functions:
CIS Controls v8.1:
AWS WorkMail MDM (Current Implementation):
advantages:
- cost: included_with_email_service_no_additional_licensing
- integration: native_aws_workmail_email_integration
- simplicity: suitable_for_single_person_company
- capabilities:
- selective_wipe: removes_email_calendar_contacts_only
- policy_enforcement: encryption_screen_lock_os_version
- compliance_monitoring: dashboard_shows_device_status
limitations:
- basic_features: fewer_advanced_controls_than_enterprise_mdm
- platform_support: primarily_mobile_devices_not_workstations
- app_management: limited_app_distribution_capabilities
- reporting: basic_compliance_reports_not_detailed_analytics
suitable_for:
- small_businesses: 1-50_employees
- email_focused: primary_use_case_is_corporate_email
- budget_conscious: no_additional_mdm_licensing_costs
Enterprise MDM Platforms (Future Scaling):
microsoft_intune:
best_for: windows_office_365_environments
features:
- conditional_access: azure_ad_integration
- app_protection: without_full_device_enrollment
- windows_management: autopilot_deployment
cost: included_with_microsoft_365_e3_e5
jamf:
best_for: apple_device_fleets_ios_macos
features:
- zero_touch_deployment: apple_dep_integration
- advanced_inventory: detailed_device_management
- custom_app_deployment: enterprise_app_distribution
cost: per_device_annual_subscription
vmware_workspace_one:
best_for: multi_platform_large_enterprises
features:
- unified_endpoint_management: all_device_types
- workspace_integration: app_virtualization
- advanced_analytics: device_usage_insights
cost: per_device_tiered_pricing
## Mobile Device Lifecycle
### 1. Pre-Enrollment
- [ ] Assess business need for mobile device
- [ ] Verify device OS meets minimum version requirements
- [ ] Obtain user consent for MDM enrollment (BYOD)
- [ ] Document device in Asset Register
### 2. Enrollment
- [ ] Install MDM profile (AWS WorkMail, Intune, Jamf)
- [ ] Verify encryption enabled
- [ ] Configure screen lock and timeout
- [ ] Test remote wipe capability
- [ ] Install approved business apps
- [ ] Configure VPN for secure access
### 3. Operational Use
- [ ] Monthly MDM compliance review
- [ ] Quarterly OS update verification
- [ ] Semi-annual app inventory audit
- [ ] Annual policy acknowledgment
### 4. Incident Response
- [ ] Device loss: Immediate credential lockdown
- [ ] Remote wipe: Selective or full based on risk
- [ ] Log review: Check for unauthorized access
- [ ] Documentation: Update incident log
### 5. Retirement
- [ ] Remove from MDM console
- [ ] Selective wipe of corporate data
- [ ] Update Asset Register status
- [ ] Document disposal method
| Classification | Email Access | App Restrictions | Monitoring | Remote Wipe |
|---|---|---|---|---|
| 🔴 Critical | Work Profile Only | Approved Apps Only | Continuous | Full Wipe |
| 🟠 High | MDM Required | Approved + Restricted | Daily Check | Selective Wipe |
| 🟡 Medium | MDM Recommended | Guidance Provided | Weekly Check | Selective Wipe |
| 🟢 Low | Basic Security | General Guidelines | Monthly Check | Email Only |
| Threat | Impact | Likelihood | Risk Level | Mitigation |
|---|---|---|---|---|
| Device Theft | 🔴 Critical | 🟡 Medium | 🔴 High | Encryption, remote wipe, screen lock |
| Malware | 🟠 High | 🟡 Medium | 🟠 High | OS-native AV, app approval, MDM scanning |
| Phishing | 🟠 High | 🔴 High | 🔴 High | User training, email filtering, MFA |
| Jailbreak/Root | 🟠 High | 🟢 Low | 🟡 Medium | MDM detection, device blocking |
| Public WiFi | 🟡 Medium | 🔴 High | 🟠 High | VPN mandatory, TLS enforcement |
| App Vulnerabilities | 🟡 Medium | 🟠 High | 🟠 High | OS updates, app approval process |
| Data Leakage | 🔴 Critical | 🟡 Medium | 🔴 High | Containerization, DLP, monitoring |
#!/bin/bash
# MDM Compliance Verification Script
echo "📱 Hack23 AB - MDM Compliance Check"
echo "====================================="
echo ""
# Check AWS WorkMail MDM Enrollment Status
echo "🔍 Checking MDM Enrollment..."
read -p "Is device enrolled in AWS WorkMail MDM? (yes/no): " mdm_enrolled
if [ "$mdm_enrolled" != "yes" ]; then
echo "❌ CRITICAL: Device not enrolled in MDM - email access should be blocked"
echo "📝 Action: Enroll device immediately or discontinue corporate email use"
exit 1
fi
# Check Encryption Status
echo ""
echo "🔐 Checking Encryption Status..."
read -p "Is full device encryption enabled? (yes/no): " encryption_enabled
if [ "$encryption_enabled" != "yes" ]; then
echo "❌ CRITICAL: Device encryption disabled"
echo "📝 Action: Enable device encryption immediately"
exit 1
fi
# Check Screen Lock
echo ""
echo "🔒 Checking Screen Lock Configuration..."
read -p "Is automatic screen lock enabled (<5 min)? (yes/no): " screen_lock
if [ "$screen_lock" != "yes" ]; then
echo "⚠️ WARNING: Screen lock timeout too long or disabled"
echo "📝 Action: Configure automatic lock within 5 minutes"
fi
# Check OS Version
echo ""
echo "📲 Checking OS Version Currency..."
read -p "Is OS version within 30 days of latest release? (yes/no): " os_current
if [ "$os_current" != "yes" ]; then
echo "⚠️ WARNING: OS version outdated"
echo "📝 Action: Install latest OS security updates"
fi
# Check Jailbreak/Root Status
echo ""
echo "🛡️ Checking Device Integrity..."
read -p "Is device NOT jailbroken/rooted? (yes/no): " not_jailbroken
if [ "$not_jailbroken" != "yes" ]; then
echo "❌ CRITICAL: Jailbroken/rooted device detected"
echo "📝 Action: Restore device to factory settings or use different device"
exit 1
fi
# Check Remote Wipe Capability
echo ""
echo "☁️ Checking Remote Wipe Capability..."
read -p "Is remote wipe capability tested and functional? (yes/no): " remote_wipe
if [ "$remote_wipe" != "yes" ]; then
echo "⚠️ WARNING: Remote wipe not verified"
echo "📝 Action: Verify Find My iPhone/Android Device Manager accessible"
fi
# Final Report
echo ""
echo "====================================="
echo "✅ MDM Compliance Check Complete"
echo ""
echo "📝 Review MDM console for detailed device status:"
echo " AWS WorkMail: https://console.aws.amazon.com/workmail/"
echo ""
echo "🔄 Next Review: Monthly compliance check scheduled"
The Five Essential MDM Controls:
BYOD Reality:
Skill Metadata:
Framework Compliance:
License: Apache-2.0
Repository: https://github.com/Hack23/homepage