Mobile Applications: Best Practice

Document created by user.oxriBaJeN4 Employee on Sep 7, 2015Last modified by user.oxriBaJeN4 Employee on May 23, 2017
Version 6Show Document
  • View in full screen mode

 

Access to Mimecast Mobile applications is enabled by default for all internal domain users. To help Administrators provide a useful and safe Mimecast Mobile application experience, we’ve identified some best practice guidelines. These are detailed below.

 

Authentication

 

Mimecast Mobile applications support a number of user authentication methods. These can be used in isolation, or combined to provide optimum benefit. The following articles provide further information in relation to authentication with Mimecast Mobile:

 

Feature Control

 

Application Settings are used to determine which users have access to which applications, and the features available to them in those applications. By default, all user applications are enabled for all internal domain users. These settings can be customized or restricted for selected user groups. Careful consideration should be given to enable only those features that are required during a DR event or during day-to-day access. Application Settings are for feature control and should not be relied upon to control general security.

If you disable Online Inbox functionality within Application Settings, the default viewer will be blank when an end user launches the Mimecast Mobile application.

Securing Mimecast Mobile Applications

 

Mimecast allows for comprehensive security settings to be applied as appropriate, based on the requirements of your users and organization. It is recommended these be as restrictive as possible whilst still allowing users to work efficiently. The following are recommended best practice policy settings:

  • Application Settings:
    • Mandatory application PIN lock:
      • Prevents opportunistic interaction with the application interface.
      • Set PIN lock timeout as short as possible.
    • Authentication TTL to be set appropriately.
    • Use Active Directory Groups to manage Application Settings membership.
  • Mandate strong, complex Mimecast cloud password rules in Account Settings.
  • Do not use shared accounts; each user should enter their own credentials.
  • Where access to email in shared mailboxes is a requirement, including delegated mailboxes, this may be enabled through the use of Smart Tags.
  • The use of a Mobile Device Management (MDM) platform is recommended:
    • Mimecast Mobile is able to be downloaded from the public app stores and used on any device.
    • Mimecast Mobile Pro is only available via MDM push. Should users attempt to access the publicly available version they will be denied.

 

General Device Security

 

Mimecast strongly recommends that all mobile devices are configured using current industry standard security best practices. Devices must be secured at the operating system level to ensure base level encryption of stored data. The following are recommended security actions for supporting mobile device use in general:

  • Mandate strong, complex device passwords and not the standard 4 digit numeric PIN.
  • Conduct regular security audits of the mobile estate.

 

Additional security enhancements (e.g. use of VPN tunnels and dedicated mobile gateways) will reduce the attack surface of the mobile estate. When mobile devices are communicating in a secure network, IP restrictions may be added in order to prevent access outside of this secure network.

 

Software Updates

 

Mimecast includes security updates as required in its Mobile application releases. As such, it is important to actively maintain the versions of Mimecast Mobile applications deployed to the mobile device estate, to ensure the latest security enhancements are installed. In order to remain informed of the latest releases, Mimecast recommends subscribing to the service release updates, or visiting our Service Updates page.

Only key updates will receive an RSS Feed or Service Update as it is not always scalable for Mimecast to alert on every update we make due to our SaaS based continual deployment methodology.  Additionally, we will not always disclose various technical updates in the public domain (i.e. via an ‘app’ store) for security reasons but instead will notify our customer base directly if deemed relevant.

The Registered Devices section in the Administration Console can be used to view all devices that have ever been connected to your Mimecast instance using Mimecast Mobile apps. Using the Last Registered date, you'll see whether a particular device has recently accessed a Mimecast Mobile application. All devices are listed alongside the following information:

  • User email address
  • Device type
  • Operating system
  • Application name & version

 

Cached Data

 

In order to improve user experience, performance, and reduce unnecessary API calls, Mimecast Mobile apps utilize an on-device cache. Local caching also enables essential functionality (e.g. previewing files and embedded images).

 

Platform
Cached data
Cache cleared
Cache size
iOS
  • Encrypted on disk regardless of device security settings.
  • Message body of viewed messages.
  • Attachments including embedded images.
  • Upon log out of application
  • 100MB (theoretical limit, the system may require the cache to flush at any given time).
Android & BlackBerry OS 10
  • Encrypted on disk regardless of device security settings.
  • Message body of viewed messages.
  • Embedded images (attachments are saved to the local file store as specified by the end user).
  • Upon log out of application
  • No limit, uses device memory.

 

If you have any further queries, do not hesitate to reach out to the Mimecast technical support team. If you have email support contact us via support@mimecast.com.

 

Important Information

 

This document is a general guide to best practice when using the Mimecast Mobile application. It is not intended as advice and should not be treated as such. The information is provided without any condition, guaranty, promise, representation or warranty as to the accuracy, completeness or adequacy of the content. This document does not form part of any contractual documentation. Nor should it be relied upon in entering into any contract with Mimecast. Mimecast will have no liability of any kind including direct, indirect, special, or consequential loss or damage, arising out of or in connection with this guide. and such liability is expressly disclaimed to the maximum extent permitted by law.

Attachments

    Outcomes