BYOD & Mobile Security for Enterprise


The Problem

Employees today expect to use personal mobile devices to access corporate resources, wherever, however, and whenever they need to. But allowing consumer devices — both company and employee owned — onto your network is a daunting security challenge.

According to a recent SANS Mobility/BYOD Security Survey, over 60% of organizations are embracing some form of BYOD, but only 9% of organizations are confident they know which of these devices are accessing their networks. Corporate data sent to unauthorized mobile apps or saved on mobile devices can be easily lost or stolen, causing a potential critical data loss incident for the enterprise. Depending on region or industry data privacy laws and regulations, your organization could face significant penalties.

Mobile Device Management (MDM) systems are an accepted way to address the device security problem through security policy profiling, application management, and data containerization. There are, however, significant shortcomings to MDM as a complete solution able to solve your Bring Your Own Device (BYOD) challenges. These issues include:

  • MDM systems only see and manage devices already enrolled in the MDM system, leaving IT managers blind to personal and unmanaged devices on the network. Legacy PC management systems and vulnerability assessment systems typically cannot detect transient consumer devices on the network, let alone access or manage them.
  • MDM systems only control access to applications (for example, Microsoft Exchange), not access to the network. Thus, MDM neither prevents unauthorized access to data on the network, nor stops compromised devices from attacking the network. IT security managers need the ability to control where mobile devices are allowed on the network, based on the device type, operating system, owner of the device, and user login credentials of the device.
  • MDM profiling is polling-based, so a device is only as compliant as the last check. Should a device be non-compliant, MDM systems can invoke strong wipe and lock commands. IT security managers need a way to secure devices on network resource request and take the most appropriate violation response, which could include allowing Internet-only access.
  • MDM systems are often operated as another IT management silo with its own set of management screens, as well as separate policies and reports. This leaves room for policies to be inconsistently applied and translated across the various IT management systems and groups.
The ForeScout Solution

ForeScout offers a range of solutions to improve mobile security.

ForeScout CounterACT™ is a continuous monitoring and mitigation platform that provides real-time visibility of personal and mobile devices on your network, limits the network access of those devices, and prevents those devices from spreading malware on your network.

MDM Integration Module allows you to leverage your existing MDM solution within the broader context of unified security control that ForeScout CounterACT already provides through real-time visibility across wired and wireless networks, managed and unmanaged devices, corporate and personal devices, and PCs and handheld devices.


Easy to deploy.

  • Works with your existing network infrastructure
  • Has few moving parts. The fewer appliances, servers, and software that you need to install and configure the better.

Managed and unmanaged.

  • Gives you visibility and control over both managed and unmanaged devices, without the need to deploy agents

Wide range of enforcement actions.

  • Monitor-mode which lets you detect (and report on) policy violations without taking action.
  • Notifications which let you send emails or HTTP hijacks to endusers who violate policies
  • Restrict traffic to certain portions of the network
  • Block network access using a wide range of technologies such as 802.1x, SNMP, ACL management, TCP reset
  • Directly enforce policies on the device, such as password, encryption, required applications, and removing or disabling prohibited applications

Automated guest registration. Identifies users trying to connect their wireless devices to your network and provides them an opportunity to request permission to use your network.

Post-connect monitoring. Monitor a handheld device after it has been admitted to the network, checking to ensure that it does not begin to behave in a threatening manner.


  • Greater business agility.  ForeScout lets your organization reap the benefits of endpoint flexibility and mobility.
  • Increased employee productivity.  ForeScout empowers workers to use devices of their choice for maximum productivity and employee satisfaction.
  • Improved visibility:  ForeScout CounterACT™ lets you identify devices on your network in real-time, including personal devices without requiring that agents be installed. ForeScout CounterACT categorizes devices by type—Windows, Mac, Linux, Apple iOS, Android, Blackberry, printers, and so forth, and categorizes devices by ownership, (e.g. corporate devices vs. personal devices).
  • Policy enforcement:  CounterACT gives you the ability to customize network access policies. For example, you can prohibit consumer devices on your network, or allow some (or all) consumer devices, but limit them to specific portions of your network.

Product Tours

Product Demonstrations

Mobile Handheld Security

This video demonstrates the use of ForeScout CounterACT to identify mobile handheld devices on the network and offer role-based access. Corporate devices are provided full access automatically while guests can be registered via SMS for user verification.

Product Screenshots

Click image to enlarge.

Guest Registration

ForeScout CounterACT allows guests to register for access to your network.

Mobile Devices

ForeScout CounterACT identifies handheld devices on your network – iPhone, iPad, Android, Windows Mobile, Blackberry, Nokia Symbian.


Analyst Reports

White Papers



Solution Briefs

Best Practices Guides

Webinars and Webcasts



Blogs and Articles

Success Stories