BYOD Security


Employees want to use their personal mobile devices to access corporate resources. Managers want productivity gains. This consumerization of IT—also known as Bring-Your-Own-Device or BYOD—represents a daunting security challenge. How can you accommodate employee and guest requests to use their smartphones, notebooks and tablets on your network while mitigating security risks?

ForeScout helps you embrace BYOD while preserving security. ForeScout products give you real-time visibility and control over personal devices on your network. ForeScout offers a range of products that protect your network and your data, regardless of what type of device your employees are trying to use.

The Challenge

Increasingly, employees are bringing their personal devices into the office and expecting to connect them to the enterprise network and/or the Internet. A recent market study found that 95% of organizations in the United States currently permit employee-owned devices, and many organizations are going a step further and actually requiring employees to purchase their own mobile devices. A Gartner survey shows that US CIOs expect 38% of mobile devices used within the enterprise will be employee owned by 2014.

Perhaps more concerning, this trend is happening faster than IT managers realize. When IDC surveyed IT managers about the number of consumer devices on their networks, they underestimated the number by 50%.

For a more extensive analysis of the risks presented by BYOD, read this whitepaper by well-known security analyst Mike Rothman and this whitepaper by the SANS Institute.

ForeScout’s Solution Set

ForeScout provides three levels of security for BYOD. Depending on your budget and your level of security requirements, you may use one, two, or three at the same time. Many of our customers find that the optimal security solution is to reserve the more expensive solution for those users with the highest need for mobile security on their devices.

The foundation of ForeScout’s mobile security solution is ForeScout CounterACT. This network-based appliance works with PCs and handheld devices. It gives you immediate, real-time visibility of device on your network without the need for agents. No software to download, no enrollment to administer. It tells you who each user is and who owns each device. It ties into directory services and provides role-based network access control. Different users and devices get different access. The price is low, and the impact to your users is trivial because it’s transparent.

The benefit of device visibility cannot be overstated. Gartner estimates that the typical enterprise is aware of only 80% of the devices that are active on its network.1 ForeScout CounterACT shows in real-time devices on your network, including devices that you don’t own. CounterACT categorizes devices by type—Windows, Mac, Linux, Apple iOS, Android, Blackberry, printers, etc. CounterACT also categorizes devices by ownership—corporate devices vs. personal devices. For more information on CounterACT’s visibility features, see here.

ForeScout CounterACT also provides network access control. You can define and enforce different network access policies that support your mobile security strategy. For example, you might want to allow devices that contain an MDM agent onto the production network, and send other personal devices onto a guest network. Or, you might want to restrict personal devices with MDM agents to certain portions of your network. Different users or different devices can be given different limits, dynamically managed by ForeScout CounterACT.

If you need stronger mobile security, then we offer ForeScout CounterACT with our optional ForeScout Mobile Security Module. With this you get enhanced device security for Android and iOS devices. ForeScout Mobile Security Module gives you deep inspection of Android and iOS devices, so you can determine the device’s configuration. Is a password configured? Is encyption turned on? This lets you enforce more sophisticated network access control policies than you can with just CounterACT by itself.

In addition, ForeScout Mobile Security Module lets you manage the configuration of Apple iOS devices. The product leverages Apple’s built-in MDM API to control most aspects of the device, using Apple’s policy framework which is built into the iOS 4 operating system. This does not require the installation of any type of agent on the Apple device. The visibility and control is provided natively from within the iOS operating system, using ForeScout CounterACT with ForeScout Mobile Security Module. You can directly set the password policy, remotely wipe the data, and many other functions.

In this solution tier, the impact on users remains very light, and the price is slightly higher than the first tier.

However, there are many cases where the user role, the sensitivity of data, the management of applications and the risk of device loss and data leakage risk is significant to require a mobile device management (MDM) system. MDM platforms gives you the most extensive coverage aspect of a wide range of mobile device operating systems and extensive level of control: user, device, applications and data.

ForeScout MDM Integration Module provides the most flexible, comprehensive and seamless integration between ForeScout and the leading MDM vendors: Fiberlink MaaS360, AirWatch, MobileIron, and Citrix XenMobile and SAP Afaria*. Additional integrations are under development (*Contact us for SAP Afaria Early Availability release). This approach secures enterprise mobility by giving you the advantage of automated enrollment, on-access MDM profile checking, network mitigation and unified network security. Rather than manage separate network security policies for PCs vs. handheld devices, you can see devices (managed, unmanaged, wired and wireless, PC or mobile) and configure a single set of network access control policies – within ForeScout CounterACT. This way you can easily track and enforce those policies regardless of whether the user has a PC, a Mac, a smartphone or a tablet.

For those that prefer buying MDM and NAC from one vendor, we offer ForeScout MDM Enterprise – a cloud-based MDM platform that lets you manage the mobile device lifecycle – from enrollment to security, monitoring, application management, containerization and support.

Regardless of whether you use MDM from a leading MDM vendor or ForeScout, for optimal security and operational efficiency you should tie your MDM platform into ForeScout CounterACT via our optional MDM Integration Module.

Note 1: “Strategic Road Map for Network Access Control”, Gartner, 11 October 2011, Lawrence Orans and John Pescatore.


ForeScout CounterACT
  • Network-based. The advantage of a network-based approach is that it covers everything—devices that employees are carrying today, and devices they will carry in the future which are not yet on the market. Not only is a network-based approach future-proof, it also avoids the need to try to install software on devices you don’t control, especially devices belonging to guests and contractors. ForeScout CounterACT:
    • Is a network appliance, either physical or virtual
    • Works with your existing network infrastructure
    • Installs out-of-band, for zero network disruption
    • Works with or without agents
  • Identifies personal devices. Before you can secure your network or enforce policies, you need to know what is on your network. ForeScout CounterACT:
    • Detects devices on your network in real-time, regardless of the connection method—wired, wireless, or VPN
    • Categorizes devices by type—computers, wireless access points, handheld phones, USB memory devices, printers, gaming consoles, etc.
    • Categorizes devices by operating system—Windows, MacOS, Apple iOS, Android, Windows Mobile, Blackberry
    • Categorizes devices by ownership. Built-in mechanisms allow ForeScout CounterACT to distinguish personal or unknown devices from corporate devices. These mechanisms include:
      • Did the device successfully authenticate with your directory (802.1x, LDAP, RADIUS, Active Directory, Oracle or Sun)?
      • Does the device match a known whitelist?
      • Does the device contain a known MAC address?
      • Are security applications such as antivirus or MDM installed and running?
  • Wide range of enforcement options. ForeScout CounterACT provides an extensive range of automated network controls which keeps your business running, your users happy, and your network secure. The list includes:
    • Monitor—learn who and what are on your network, and identify non-compliant systems
    • Notify—HTTP hijack end-users and guide them to take remediation steps, such as install specific MDM applications or security tokens.
    • Limit—limit the network access based on device type, device ownership, time of day, and device compliance. The limited access network can allow access to a subset of applications and data, blocking access to more sensitive corporate resources.
    • Block—keep (or just certain types of) devices off your network completely.
  • Automated guest registration. As an alternative to security policies that enforce network access based on device type, ForeScout CounterACT includes a built-in guest registration system that allows you to collect information about the user, for example: name, company, phone, and email address. Different people can be granted different network access, automatically.
  • Post-connect monitoring. Once ForeScout CounterACT admits an endpoint onto your network, ForeScout CounterACT continuously monitors the endpoint to ensure that it remains compliant with your security policies and uninfected. If the device begins to attack your network, ForeScout CounterACT’s built-in threat prevention system blocks the attack.
  • ControlFabric Integration. The information generated by ForeScout CounterACT can be exported to your other IT management and security systems. Integrations are available for most leading MDM systems, SIEM systems, McAfee ePO, and customers can build custom integrations with the Open Integration Module.
ForeScout Mobile Security Module
  • Provides additional detailed information to CounterACT about iOS and Android devices
    • Hardware information such as vendor, model, OS version, installed apps, serial number
    • Is password enabled?
    • Is encryption enabled?
    • What applications are installed?
    • Is the device jailbroken or rooted?
  • Provides additional actions such as:
    • Notify—send messages to end-users on their mobile devices
    • Remediate—directly remediate (without end-user intervention) iOS devices with actions as enforce password policy, remove or disable apps, and enforce specific WiFi access methods.
ForeScout MDM Enterprise

ForeScout MDM Enterprise, powered by MaaS360, provides a comprehensive set of capabilities to get devices configured for enterprise access and makes sure corporate data stored on these devices is secure. Features include:

  • OTA configuration
  • Passcode enforcement
  • Security policy management
  • Remote lock and full wipe
  • Selective wipe of corporate data
  • Device restrictions
  • Asset management
  • Self-service portal
  • Real-time reporting
  • Corporate app storefront
MDM Integration Module

With our MDM Integration Module, security teams can achieve network access control and greater operational efficiency by merging NAC and MDM security functions, and enabling unified access control policies not available in MDM.

  • Collect detailed device information from the MDM system
  • Automate the enrollment and installation of MDM agents on unmanaged devices the moment they connect to the network
  • Notify the MDM system to perform just-in-time security and compliance checks of a mobile device the moment it accesses the network; base network access decisions on the result of this assessment.
  • Trigger device remediation by the MDM system (specific remediation features vary depending on the MDM system)


  • Greater business agility. ForeScout lets you solve consumerization of IT problem to allow your organization to reap the benefits of endpoint flexibility and mobility.
  • Increased employee productivity and retention. ForeScout empowers workers to use devices of their choice for maximum productivity and employee satisfaction.
  • Improved visibility: ForeScout CounterACT lets you identify devices on your network in real-time, including personal devices without any agents installed. ForeScout CounterACT categorizes devices by type—Windows, Mac, Linux, Apple iOS, Android, Blackberry, printers, etc. ForeScout CounterACT also categorizes devices by ownership, e.g. corporate devices vs. personal devices. With ForeScout Mobile Security Module, you get additional detailed information about each device including its configuration, its applications, and its security posture.
  • Policy enforcement:CounterACT lets you enforce any type of network access policy you may wish. You may choose to prohibit consumer devices on your network. Or allow some (or all) consumer devices, but limit them to specific portions of your network. With ForeScout Mobile Security Module, you can enforce more granular network access policies, and you can directly remediate security deficiencies on iOS devices. And with ForeScout MDM you can enforce policies on a wide range of mobile device types including iOS, Android, Windows Phone, and Blackberry devices.
  • Better enterprise-wide security and control: ForeScout CounterACT has three mechanisms to ensure that personal devices do not threaten the security of your network:
  1. ForeScout CounterACT limits guest access, preventing them from accessing sensitive resources
  2. ForeScout CounterACT ensures that guest devices meet your security policies while they are connected to your network
  3. ForeScout CounterACT continuously monitors guest systems to ensure that they do not attack your network.

Product Tours

Product Demonstrations

Mobile Handheld Security

This video demonstrates the use of ForeScout CounterACT to identify mobile handheld devices on the network and offer role-based access. Corporate devices are provided full access automatically while guests can be registered via SMS for user verification.

Product Screenshots

Click image to enlarge.

Guest Registration

ForeScout CounterACT allows guests to register for access to your network.

Mobile Devices

ForeScout CounterACT identifies handheld devices on your network – iPhone, iPad, Android, Windows Mobile, Blackberry, Nokia Symbian.

Mobile Device Properties

ForesScout mobile shows you an inventory of mobile device properties on your network.

Mobile Application Inventory

ForeScout Mobile provides a real-time inventory of mobile apps on your network

MDM Watch List

View a summary of the status of devices.

Secure Document Sharing

Centrally manage documents, users, access controls, distribution, and policies.

Android MDM Policies

Manage the configuration for Android devices.

iOS MDM Policies

Manage the configuration for iOS devices.

MDM Actions

From within the ForeScout MDM Enterprise management console, take actions to protect data and the device over-the-air.

Send Enrollment Request

ForeScout MDM Enterprise discovers new users and devices, and allows IT to launch a simple end user self-service OTA enrollment process.

Cloud Extender

Integrate mobile devices with email, calendar, and contacts platforms such as BlackBerry Enterprise Server, Microsoft Exchange 2007 and 2010 Server, Lotus Notes, Active Directory or Microsoft’s upcoming Office 356.

Control Mobile Devices

From within the CounterACT console, restrict the network access of mobile devices that are non-compliant or unauthorized.

FS Unified Visibility of Devices imageSee Inventory Of Devices

ForeScout CounterACT lets you see an inventory of devices on the network – PCs, mobile devices, printers, etc.

FS Detailed Host Information imageSee Properties Of Mobile Devices

MDM Integration Module lets you see detailed properties of mobile devices which are enrolled in a connected MDM system.

FS Application Inventory imageSoftware Inventory Of Mobile Devices

MDM Integration Module lets you see an inventory of software on mobile devices, including which devices have the software.





Analyst Reports

Solution Briefs

White Papers

Best Practices Guides

Webinars and Webcasts

Competitive Analysis



Blogs and Articles

Success Stories