commoncriteria / mobile-device

Protection Profile for Mobile Device Fundamentals
The Unlicense
14 stars 3 forks source link

TOE enrollment in management #31

Closed woodbe closed 4 years ago

woodbe commented 4 years ago

I am wondering if this needs to be optional for Admin.

https://github.com/commoncriteria/mobile-device/blob/954ded4330200e30c1e4b35b7b7398b6d6a3598c/input/mobile-device.xml#L5783

With the latest Android Enterprise changes (these have been around for a few years now, but are becoming the default for new devices), the enrollment in management can be done before a user ever logs in on the device. So basically I could take the device out of the box, power it on, set Wi-Fi (or not, if I have an active SIM card) tap it to an NFC tag and have it enroll into management.

At that point I haven't done anything beyond getting the device online, no user has logged in or even seen the home page. In this case it is tough to say the admin is really a "user" as they are only setting up the device for the end user, and they aren't even setting anything up on the device first. When I think of a user enrolling the device into management, I am thinking of an end user who was sent the device and they are told to go install something (say some MDM Agent from the app store) and login. Here though we are talking about an IT admin, pretty much the definition of the admin, enrolling the device into management without any login or completion of the normal initialization process on the device.

lewyble commented 4 years ago

changed function to be 'MOOO'