Access to Mimecast Mobile applications is enabled by default for all internal domain users. To help Administrators provide a useful and safe Mimecast Mobile application experience, we’ve identified some best practice guidelines. These are detailed below.
Mimecast Mobile applications support a number of user authentication methods. These can be used in isolation, or combined to provide optimum benefit. The following articles provide further information in relation to authentication with Mimecast Mobile:
Application Settings are used to determine which users have access to which applications, and the features available to them in those applications. By default, all user applications are enabled for all internal domain users. These settings can be customized or restricted for selected user groups. Careful consideration should be given to enable only those features that are required during a DR event or during day-to-day access. Application Settings are for feature control and should not be relied upon to control general security.
If you disable Online Inbox functionality within Application Settings, the default viewer will be blank when an end user launches the Mimecast Mobile application.
Securing Mimecast Mobile Applications
Mimecast allows for comprehensive security settings to be applied as appropriate, based on the requirements of your users and organization. It is recommended these be as restrictive as possible whilst still allowing users to work efficiently. The following are recommended best practice policy settings:
- Application Settings:
- Mandatory application PIN lock:
- Prevents opportunistic interaction with the application interface.
- Set PIN lock timeout as short as possible.
- Authentication TTL to be set appropriately.
- Use Active Directory Groups to manage Application Settings membership.
- Mandatory application PIN lock:
- Mandate strong, complex Mimecast cloud password rules in Account Settings.
- Do not use shared accounts; each user should enter their own credentials.
- Where access to email in shared mailboxes is a requirement (e.g. delegated mailboxes) this can be enabled through the use of Smart Tags.
- The use of a Mobile Device Management (MDM) platform is recommended:
- Mimecast Mobile is able to be downloaded from the public app stores and used on any device.
- Mimecast Mobile Pro is only available via MDM push. Should users attempt to access the publicly available version they will be denied.
General Device Security
Mimecast strongly recommends that all mobile devices are configured using current industry standard security best practices. Devices must be secured at the operating system level to ensure base level encryption of stored data. The following are recommended security actions for supporting mobile device use in general:
- Mandate strong, complex device passwords and not the standard 4 digit numeric PIN.
- Conduct regular security audits of the mobile estate.
Additional security enhancements (e.g. use of VPN tunnels and dedicated mobile gateways) will reduce the attack surface of the mobile estate. When mobile devices are communicating in a secure network, IP restrictions may be added in order to prevent access outside of this secure network.
Mimecast includes security updates as required in its Mobile application releases. As such, it is important to actively maintain the versions of Mimecast Mobile applications deployed to the mobile device estate, to ensure the latest security enhancements are installed. In order to remain informed of the latest releases, Mimecast recommends subscribing to the service release updates, or visiting our Service Updates page.
Only key updates will receive an RSS Feed or Service Update as it is not always scalable for Mimecast to alert on every update we make due to our SaaS based continual deployment methodology. Additionally, we will not always disclose various technical updates in the public domain (i.e. via an ‘app’ store) for security reasons but instead will notify our customer base directly if deemed relevant.
The Registered Devices section in the Administration Console can be used to view all devices that have ever been connected to your Mimecast instance using Mimecast Mobile apps. Using the Last Registered date, you'll see whether a particular device has recently accessed a Mimecast Mobile application. All devices are listed alongside the following information:
- User email address
- Device type
- Operating system
- Application name & version
In order to improve user experience, performance, and reduce unnecessary API calls, Mimecast Mobile apps utilize an on-device cache. Local caching also enables essential functionality (e.g. previewing files and embedded images).
|Platform||Cached data||Cache cleared||Cache size|
|Android & BlackBerry OS 10|
If you have any further queries, do not hesitate to reach out to the Mimecast technical support team. If you have email support contact us via firstname.lastname@example.org.
This document is a general guide to best practice when using the Mimecast Mobile application. It is not intended as advice and should not be treated as such. The information is provided without any condition, guaranty, promise, representation or warranty as to the accuracy, completeness or adequacy of the content. This document does not form part of any contractual documentation. Nor should it be relied upon in entering into any contract with Mimecast. Mimecast will have no liability of any kind including direct, indirect, special, or consequential loss or damage, arising out of or in connection with this guide. and such liability is expressly disclaimed to the maximum extent permitted by law.