ForeScout | Access Ability

Overview

ForeScout Mobile Security Module is the easiest and most economical way for IT security managers to say “yes” to Android and Apple iOS devices on the enterprise network without compromising security.

ForeScout Mobile Security Module runs as an add-on to ForeScout’s market-leading network access control (NAC) platform, ForeScout CounterACT. Together, these two products provide real-time visibility and control of everything on the network—wired and wireless, managed and unmanaged, PCs and handheld devices—and give you special visibility and control over Android and iOS devices.

Relative to a full-blown MDM system, ForeScout CounterACT with the ForeScout Mobile Security Module is:

• More affordable. The price of ForeScout CounterACT and the ForeScout Mobile Security Module is a fraction of the typical price for an MDM system.
• More unified. ForeScout CounterACT working with the ForeScout Mobile Security Module allows you to apply intelligent network access control policies for everything on your network regardless of the type of device (PC, Mac, tablet, smartphone), the type of connection (wired, wireless, VPN) or the owner of the device (corporate or personal).
• More real-time. ForeScout CounterACT working with the ForeScout Mobile Security Module provides real-time visibility of devices on your network, even of devices that have not been “enrolled” or have not had an agent installed.

The ForeScout Mobile Security Module for Android is a CounterACT plugin and a lightweight app for Android devices. The app collects hardware, software and configuration information for each device on which it is installed and reports this to the CounterACT appliance. This allows CounterACT to determine the compliance of the Android device, restrict network access on the basis of that information, and send automatic notifications to users to help them remediate security problems.

ForeScout Mobile Security Module for iOS natively supports iOS devices such as the iPad and iPhone by employing the Apple Mobile Device Management API and the Apple Push Notification service (APNs), both of which are built into the iOS 4 operating system. Hardware and software inventory details are collected by the iOS device and delivered to the CounterACT appliance. From the CounterACT console, you can configure iOS policies and profiles and apply them to iOS devices which are connected to the network via WiFi or over VPN. (Over-the-air management is planned for Q4 2012.)  Actions such as device lock¹, password change, full wipe¹, and selective wipe of corporate data can be pushed to the iOS device.

Features of ForeScout CounterACT with the ForeScout Mobile Security Module include:

• Automated real-time detection. ForeScout CounterACT lets you detect mobile devices the moment they try to connect to your network. No agents or software are required.
• Visibility. ForeScout CounterACT categorizes and reports on hand-held mobile devices by type (iOS, Android, Windows Mobile, Blackberry, etc.) and by user. The additional visibility provided by ForeScout Mobile Security Module includes information such as hardware model, OS version, installed apps, IP address, serial number, phone number.
• Compliance management. ForeScout Mobile Security Module gives CounterACT additional visibility into Android and iOS devices, allowing CounterACT to assess compliance with security policy. For example:
  • Identify mobile devices without password protection
  • Identify rooted Android devices and jailbroken¹ iOS devices
  • Identify mobile devices that are missing required apps, for example, management or security apps
  • Identify mobile devices that are running black-listed apps

• Enforcement options.ForeScout Mobile Security Module works with ForeScout CounterACT and provides a wide variety of enforcement options:
  • Monitor—learn who and what are on your network, and identify non-compliant systems
  • Notify—send emails or messages to IT personnel or end-users, or HTTP hijack end-users. Automated messages can guide end-users to take remediation steps, such as install specific MDM applications or security tokens onto their smartphones.
  • Limit—limit the network access based on device type, device ownership, time of day, and device compliance. The limited access network can allow access to a subset of applications and data, blocking access to more sensitive corporate resources.
  • Block—keep all (or just certain types of) devices off your network completely.
  • Remediate—directly remediate (without end-user intervention) iOS devices with actions as remote management¹, full data wipe¹, corporate data wipe, enforce password policy; require apps such as anti-virus, MDM or virtualization; remove or disable native apps such as the camera; and enforce specific WiFi access methods.

• Guest registration. If you wish to setup a guest network for personal mobile devices, you can use ForeScout CounterACT’s built-in guest registration system. Once a guest has been approved, CounterACT can dynamically enforce your security policies, such as restricting the user’s access to just the Internet.
• Continuous protection. If malware exists on the mobile device and tries to propagate or interrogate your network, ForeScout CounterACT will detect the malicious behavior, block the threat, and can automatically quarantine or remove the mobile device from your network. ForeScout CounterACT includes ForeScout’s patented ActiveResponse™ technology which can detect and block zero-day threats.
• Clientless operation. Since ForeScout CounterACT is a clientless solution, it works with all type of endpoints—managed and unmanaged, known and unknown. Mobile devices do not need to have agents installed on them. However, installing the ForeScout Mobile app for Android gives you deeper visibility into the configuration, hardware and software details running on the Android device.

^{1Over-the-air management, full data wipe, and jailbreak detection are expected to be available in June, 2013.}