Mobile Devices & BYOD Security – Deployment & Best Practices

Mobile Devices and BYOD Security:
Deployment and Best Practices
BRKSEC-2045
Sylvain Levesque
Security Consulting Systems Engineer
slevesqu@cisco.com

© 2014 Cisco and/or its affiliates. All rights reserved.Presentation_ID Cisco Public
Agenda
 Test bed Used
 State of Malware on Mobile Devices
 802.1X Network Authentication
 Device Profiling with the Identity Services Engine
 Digital Certificates Usage and Provisioning Methods
 Remote Access VPN
 Web Security
 Recommendations and Conclusion
3

Cisco and/or its affiliates. All rights reserved.BRKSEC-2045 Cisco Public
Test bed Used
 A number of tests were conducted for this session to document the behavior of mobile devices with different Cisco
security solutions.
 A group of devices under test was used to represent the major mobile platforms on the market today. Recent releases
of operating systems were used and therefore the behavior documented in this presentation might vary with older OS
releases.
5
Toshiba AT300
Tab/Android ICS 4.0.3
Samsung Galaxy Tab2 4.1+
Samsung:
Nexus/Google Android JB 4.4+
Galaxy S2/SS Android JB 4.1.2
RIM/Blackberry:
Bold 9900 7.1.0
Z10 10.0.10+
Microsoft Surface
Windows 8 RT+
Apple iPad3 tablet/
iOS 6.1.2+
Anyconnect 3.xASA 9.1(4) WSA 7.5(0)-833 ISE 1.2 Airwatch Cloud-Based
MDM 6.3.1.2
*ICS=Ice Cream Sandwich *JB=Jelly Bean
Microsoft Certificate
Services Windows 2008
Enterprise R2

State of Malware on Mobile Devices

Mobile Devices Market
 Android currently dominates the Mobile OS market followed by iOS
 While iOS devices are pretty current, a large percentage of Android devices still uses
outdated releases that could be subject to security vulnerabilities
7
Source: IDC Source: developer.android.com
iOS Versions Android Versions

State of Malware
Interesting statistics can be found on
malware, exploits and mobile devices in
this report:
• Malware on Android up 2,577%
• 99% of mobile malware target Android
• Encounters with web malware: 70%
Android, Apple iOS 22% percent
• Malware on mobile devices: 1.2% of all
web malware found (up from 0.42%)
• Most exploits with Java: sparse support
on mobile devices
 The Cisco 2014 Annual Security Report describes the evolution of exploits and
malware and is a great reference for any IT or Security professional:
http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html
8

Other Interesting Facts and Conclusions
9
25%+ of malware on mobile devices
come from porn sites… • Phishing: still a major malware infection
vector as with PCs
• Users click on a link in an email that
has them installing an App from an
untrusted application store
Typical exploits on Android:
• subscription to premium SMS services
• botnet infection and remote control
• banking information theft
2012 -> first Android botnet in the wild
2013 -> large Android botnets
observed in China (1 million + devices)
The use of non-managed mobile devices
could expose your organization to
infection or data theft (Android or others)

Other Interesting Facts and Conclusions
10
25% of malware on mobile devices
come from porn sites… • Phishing: still a major malware infection
vector as with PCs
• Users click on a link in an email that
has them installing an App from an
untrusted application store
Typical exploits on Android:
• subscription to premium SMS services
• botnet infection and remote control
• banking information theft
2012 -> first Android botnet in the wild
2013 -> large Android botnets
observed in China (1 million + devices)
The use of non-managed mobile devices
could expose your organization to
infection or data theft (Android or others)
Cisco Annual Security Report:
“The impact of BYOD and the proliferation of devices cannot be overstated, but
organizations should be more concerned with threats such as accidental data loss,
ensuring employees do not “root” or “jailbreak” their devices, and only install
applications from official and trusted distribution channels”

Secure Access with 802.1X, Remote Access VPN
and Web Security

 802.1x is used to provide authentication of a user or a device to the network
 3 main components are involved in a 802.1x authentication:
- Supplicant: Provides Identity Information to the network. Supplicant software is embedded in all modern
Operating Systems. Ex: Apple iOS, Android, Windows 8, etc.
- Authenticator: Device that controls access to the network, participates in the initial EAP (Extensible
Authentication Protocol) exchange and acts as a relay between the Supplicant and the Authentication
Server. Ex: Switch, Wireless Controller
- Authentication Server: RADIUS Server that validates the identity information provided and sends
authorization attributes such as a VLAN, Access-List, Session timeout, URL for redirection. The identity
can be optionally validated by an external Identity Store. Ex: ISE, ACS
Network-Based Authentication using 802.1X - Review
Authentication
Server (RADIUS)
Supplicant Authenticator
EAP over RADIUSEAP/WPA2
EAP session
12

802.1x Identity Information Types
Different types for different mobility use cases:
1. Username/Password Combination
- User authentication (also Machine Auth for Windows)
- Active Directory/LDAP/RADIUS ID Stores
- EAP types: PEAP-MSCHAPv2, PEAP-GTC, EAP-FAST
2. Two-Factor Authentication
- Something you know, you have, you are
- Mostly for user authentication
- RSA SecurID and other token-based ID Systems
- EAP types: PEAP-GTC, EAP-FAST/EAP-GTC
3. Digital Certificates
- Signed/emitted by a public or private Certificate Authority
- Can be used for user and/or device authentication
- Microsoft AD Certificate Services, Entrust, Verisign, etc.
- EAP types: EAP-TLS, EAP-FAST
EAP
Extensible Authentication Protocol
PEAP
Protected EAP
GTC
Generic Token Card
FAST
Flexible Authentication
via Secure Tunneling
TLS
Transport Layer Security
13

Device & User Authentication/Authorization
14
Machine AuthC
PEAP-MSCHAPv2*
EAP-TLS
host/MTLLAB-W500
User AuthC
PEAP-MSCHAPv2
EAP-TLS
CISCOslevesqu2
1
21 +
2 PHASES
POSSIBLE
Same EAP Type with Native Supplicant
*Windows RT/Phone can not join Active Directory and can not use PEAP-MSCHAPv2 for Machine Authentication
1 PHASE
ONLY
AuthC=AuthentiCation
AuthZ=AuthoriZation
CN=Common Name
SAN=Subject Alternate Name
= Certificate
PEAP-MSCHAPv2
EAP-TLS
slevesqu User AuthC
User AuthZ
Hybrid AuthZ
Device AuthZ
CN=slevesqu
SAN=00:21:6A:AB:0C:8E
CN=slevesqu
SAN=00:21:6A:AB:0C:8E

2-Factor Authentication Workaround with 802.1X
and Central Web Authentication
802.1X EAP-TLS
authentication with Certificate
1
Central Web Authentication
with User AD Account
2
Factor 1: Device
Certificate!!!
Factor 2: Employee User
Credentials!!!
ISE

EAP-Type
Win 8
Pro/Enter
prise
Win RT
Apple
iOS
Android BB7/10 ACS 5.x ISE 1.x AD LDAP
EAP-TLS Yes Yes Yes Yes Yes Yes Yes Yes Yes
PEAP
MSCHAPv2
Yes Yes Yes Yes Yes Yes Yes Yes No
PEAP
EAP-GTC
No1 No Yes Yes Yes Yes Yes Yes Yes
EAP-FAST No1 No Yes2 No3 Yes Yes Yes Yes No
Common 802.1X EAP Types and Compatibility
1. Supported through 3rd-party supplicants such as Anyconnect NAM
2. Configuration required through Apple Configuration Utility or MDM
3. No native support. Supported through Cisco Compatible Extensions (CCX) with
specific mobile devices manufacturers. More information:
http://www.cisco.com/web/partners/pr46/pr147/partners_pgm_partners_0900aecd800a7907.html
No native support for token based
systems such as RSA SecurID
16
BRKSEC-2691: Identity Based Networking: IEEE 802.1X and beyondMore on 802.1X!

802.1X Configuration:
PEAP-MSCHAPv2 User Authentication Example
Touch-hold
1
2
3 4
1 2
3
1 2
3
4
6
5

Device Profiling with the Identity Services Engine

ISE Profiler Review
 The ISE Profiler service uses a number of probes to capture the traffic generated by an endpoint device
 It then extracts information from this traffic and compares patterns with profiling rules that are either pre-
defined or custom-built to match an endpoint type and a profile
 An Authorization rule can then use this information to assign network access privileges based on the device
profile (iPhone/iPad vs Android vs Blackberry vs Windows)
Probe Data Provided
RADIUS OUI, MAC Address
DHCP DHCP attributes, hostname
DNS FQDN, hostname
HTTP User-Agent
NMAP OS fingerprint
NETFLOW TCP/UDP ports used
SNMP MIB strings
Probes Currently
Used to Profile
Mobile Devices
BRKSEC-3698: Advanced ISE and Secure Access Deployment
19
More on Profiling!!

Example of Profiling Rules for iPad

Analyzing HTTP User Agents
Compatibility with Mozilla’s Rendering Engine
OS and Version
Device Model
HTML Layout Engine
Browser and Extensions
Mozilla/5.0 (Linux; Android 4.0.3; AT300 Build/IML74K) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.166
Safari/535.19
21

Sample HTTP User Agents
Apple iPad
Mozilla/5.0 (iPad; CPU OS 7_0_4 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11B554a Safari/9537.53
Windows RT
Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; ARM; Trident/6.0; Touch)
Android Samsung Tab2 tablet
Mozilla/5.0 (Linux; U; Android 4.1.2; en-ca; SM-T210R Build/JZO54K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Safari/534.30
Android LG Google Nexus 5 smartphone
Mozilla/5.0 (Linux; Android 4.4.2; Nexus 5 Build/KOT49H) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/33.0.1750.166 Mobile
Safari/537.36
Blackberry Z10 smartphone
Mozilla/5.0 (BB10; Touch) AppleWebKit/537.35+ (KHTML, like Gecko) Version/10.2.1.1925 Mobile Safari/537.35+
22
View your own user-agent at: http://whatsmyuseragent.com!!

Viewing Endpoint Profiling Data
23
Profiling data
Profiling data

Digital Certificates Usage and Provisioning
Methods

Certificates, Trust and 802.1X
 Public Key Cryptography (PKI) uses the concept of trusted Certification Authorities (CA). A list of public
CAs on the Internet is embedded in the certificate store as Trusted Roots in every device
 Many organizations typically deploy a private enterprise Certification Authority that allow them better
control and scalability. The Root Certificate and certification chain of this private CA has to be
provisioned in corporate devices in order for them to trust it
 Non-corporate mobile devices will not trust by default the certificates generated by a private CA and the
802.1X behavior of mobile devices in this scenario will vary:
– Apple iOS: User notification-> users might refuse to install the certificate and call the help desk
– Android: Will accept non-trusted certificates by default without warning!
– Windows RT/8: User notification -> users might refuse it as well
– Blackberry 7: No notification -> Access rejected
– Blackberry 10: Will accept non-trusted certificates by default without warning!
 Windows RT/8 and BB 7: Validation of the server certificate can be disabled for PEAP/EAP-TLS. Useful
for lab testing or proof-of-concept, but not recommended for production where we should use certificates
from Public CAs to avoid end user issues
25

Certificates Installation and Enrollment
Non-trusted Root and user/device Certificates can be created and provisioned on
mobile devices using a number of methods that can be manual or automated:
 Copy it to the device. Ex: Corporate mobile devices
 Push computer or user certificates through Group-Policy Objects (GPOs) for
Windows corporate devices
 The administrator can create the certificate or email it to the user the device. Ex:
BYOD personal device
 Certificate Server web portal (administrator or user)
 The certificate creation and provisioning can be automated the Simple Certificate
Enrollment Protocol (SCEP). A few options are available:
– SCEP from the mobile device itself (support vary by mobile platform)
– SCEP with the Anyconnect VPN client
– SCEP Proxy with the Anyconnect VPN client and the ASA
– Identity Services Engine (ISE) with the Onboarding service for 802.1x, SCEP with Mobile
Device Management solutions
26

Anyconnect Profile:
SCEP Host = myCA.bn-
lab.local
Certificate Enrollment using SCEP and VPN
SCEP with Anyconnect:
SCEP Proxy with Anyconnect and the ASA:
IPSec/SSL tunnel
SCEP Request
IPSec/SSL tunnel
SCEP Request
SCEP Request
1. ASA performs policy enforcement
2. ASA inserts machine device-id from
posture
• Initiated by the user
• No Certificate renewal
• Needs direct access to CA
• Requires Anyconnect 2.4+ASA
ASA SCEP Proxy
• Controlled by the head-end (ASA)
• Pre-enrollment policy enforcement
• Device-ID for Authorization
• Automatic Certificate renewal
• Only ASA communicates with CA
• Requires Anyconnect 3.0+

Onboarding with ISE on Wired/WLAN
Access Point
ISE
Mary User Name = Mary
Password = *******
1
Mary connects to Secure SSID
3 Register Device
Provision Certificate
Configure Supplicant
Mary Reconnects to Secure SSID
2
Redirect to Self Provisioning
Portal
2
BYOD-Secure
SSID’sPersonal asset
Wireless LAN Controller
AD/LDAP
N.B.: A dual-SSID option can also be
used where the 2nd Open SSID is
used for the onboarding process
28
CA

ISE Authorization Using Certificate Attributes
Registered Devices: Indicates the device
went through the BYOD onboarding process
Network Access only allows EAP-TLS
authentication with Certificate
The Radius attribute Calling-Station-ID
contains the MAC address of the device
which is compared against the SAN in the
Certificate
The AD username is read from the Subject-
Name and sent to AD where its attributes are
retrieved for authorization
Different Permissions Assigned
(VLAN, ACLs, etc)
29

Method
Win 8
Pro/Enterp
rise
Win RT
Apple
iOS
Android BB7 BB10
Email Yes Yes Yes No1 Yes No
Copy To Device Yes Yes Yes2 Yes Yes Yes
Web (CA
Server)
Yes Yes Yes Yes Yes No
Anyconnect
SCEP
Yes No Yes Yes No No
SCEP Proxy Yes No Yes Yes No No
ISE
Onboarding3 Yes No Yes Yes No No
Certificates Installation Summary
1. Can not be installed from email directly but can be saved and installed from storage
2. Via the iPhone Configuration Utility or an MDM
3. More details on supported platforms:
http://www.cisco.com/en/US/docs/security/ise/1.1.1/compatibility/ise_sdt.html#wp80321
30

Certificate Management
1
2
3
4
1
2
3
1
3
4
5
Swipe-In
5
2
4
6
7

ASA Remote Access VPN Options review
Clientless SSL
Basic Web, Email
and CIFS Access
Customized User
Screen
Thin-Client SSL
Plugins
(SSH,VNC,
Telnet,RDP, Citrix)
Smart Tunnels
Client-Based
SSL or IPSec
AnyConnect
33

Citrix Mobile Receiver Support
 ASA release 9.0 introduces the support of the Citrix Mobile Receiver
application directly in clientless SSLVPN for most desktop OSes and for
Apple iOS and Android
̶ Allows the ASA to communicate directly to XenApp 6.5 or XenDesktop 5.5, 5.6
Access GatewayFirewall
User Device
Connected Using
Citrix Online Plug-Ins
Internet
Web Interface
Installed Behind the
Access Gateway
Server Farm
Firewall
Cisco® ASA
34

Websockets HTML5 Access
 ASA release 9.1(4) introduces the support of Websockets and HTML5 proxy
 Enables a “fully clientless” solution homogeneously across differents OSes using
a browser that supports HTML5 – No more dependencies on Java and ActiveX!
 Uses 3rd-party Websockets gateways that converts HTML5 to a client protocol
such as RDP/VNC/etc
 The HTML5 resource is a simple bookmark accessed on the ASA clientless Web
Portal
Mobile Device
with an HTML5
browser
Internet
35
ASA
SSL SSL RDP, VNC, CIFS, etc
ApplicationWebsockets
Gateway/Ser
ver
Intranet
Data
Center

Method
Win 8
Pro/Enterprise
Win RT/Phone Apple iOS Android BB7/10
Anyconnect – SSL transport Yes No1 Yes Yes No1
Anyconnect – IPSec/IKEv2 Yes No1 Yes Yes No1
Websockets – HTML5 Yes Yes Yes Yes Yes
Native VPN support Yes Yes Yes Yes No
Clientless/Smartunnels/Plugins/ Yes No No No No
Clientless – Mobile Citrix Receiver No No Yes (v4+) Yes (v2+) No
Mobile Devices VPN Support Summary
1. RIM/BB and Microsoft do now allow the development of Anyconnect (or other VPN clients) on BBOS and Windows RT/Phone
• For more detailed information on device/OS support, please consult the ASA Supported VPN Platforms document:
http://www.cisco.com/en/US/docs/security/asa/compatibility/asa-vpn-compatibility.html#wp177602
• For more information on features supported on Anyconnect with Android and Apple iOS, please consult their respective release notes:
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-android.html
http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect30/release/notes/rn-ac3.0-iOS.html#wp1148532
36

Corporate vs BYOD
2 methods can be used to match device-specific identity information that will allow a differentiation of
policies:
1. Use of certificates for authentication and authorization: Certificate attributes can be defined for uses
cases like Corporate & BYOD. These attributes can be matched to different authorization policies in
the ASA and ISE
2. With posture: The posture service on the ASA for VPN and ISE can gather information on the device
that can include the device type, OS type, processes/services running, Windows registry information,
file information, certificate information.
– If a corporate device is for example only a Windows PC domain member, the posture service could look for a specific
piece of information like the registry entry defining the AD Domain, something that a mobile device would not have
– If no mobile devices are to be allowed to connect, the posture service could use rules that would deny access to all
mobile devices types
How can I apply different access policies to a corporate device and a personal BYOD?
How can I prevent a personal BYOD from connecting to my network?
37

Mobile Posture with Anyconnect
 ASA Release 8.2(5) introduced the ability to pass posture endpoint attributes from
Anyconnect to ASA Dynamic Access Policies (DAP)
 Can be used to control VPN connections from mobile endpoints and assign them specific
access policies.
 Posture is also used with SCEP proxy in ASA 9.0 to embed unique device identity in
certificate enrollment requests
 The Mobile Endpoint attributes include:
‒ Version of the Anyconnect client (e.g. “3.0.x”)
‒ Client Platform (“apple-ios”, “android”, etc)
‒ Client OS version (e.g. “5.0”)
‒ Type of device (varies per client platform but can be used to differentiate iPad from iPhone)
‒ Device UniqueID (varies per client platform, consists of Device UDID for iOS, opaque hash of
IMEI/MEID/ESN or MAC+AndroidID for Android mobiles)
38

Mobile Posture Configuration
39

40
Choose Anyconnect as the
Endpoint Attribute Type

41
Select an Access Policy for
the DAP defined

Mobile VPN Authorization with Certificates
• Certificate maps can be used with the ASA to allow matching of received
certificate DN values and then map them to a Connection Profile.
• Can be used with IPSec VPN and SSL VPN
• Can be used with the Local CA feature on the ASA or with certificates
generated from a 3rd-party CA
• The following values from the certificate can be used for mapping:
1. Alt-subject-name
2. Subject-name
3. Issuer-name
4. Extended Key Usage (EKU) extensions
BRKSEC-2053: Practical PKI for VPN
More on Certificates
for VPN
42

ASA Certificate Matching Configuration for VPN
43

Licensing on the ASA
 AnyConnect Essentials enables the use of Anyconnect for a full-tunnel VPN
with SSL or IPSec IKEv2. One license if required per ASA
 Anyconnect Premium activates advanced features such as the Clientless
Portal, Smartunnels, Plugins, Posture and Mobile Posture. One license per
concurrent user is required.
 Anyconnect Essentials and Premium are mutually exclusive on an ASA
 The Anyconnect Mobile license is required on top of Anyconnect Essentials
or Anyconnect Premium licenses for mobile devices to establish a VPN tunnel
with the ASA!! One license is required per ASA
 For ASA releases 8.2 and below, 2 licenses per failover pair are required.
Starting from ASA release 8.3, only one license is required per failover pair
 Recommendation: Always include the Anyconnect Mobile License when
purchasing a new ASA for VPN
44

Web Security Gateway - Deployment Methods
 Web Security Gateways such as the Cisco Web Security Appliance (WSA)
provide a number of security services at an organization’s perimeter such as
URL Filtering, Web Reputation Filtering, Anti-Malware Filtering, Granular
Application Control, Data Loss Prevention and others
 These gateways typically do not sit inline the traffic and therefore Web user
traffic must be redirected to these gateways
 3 methods can be used for this redirection:
‒ Explicit Forward Mode: A proxy server entry is configured manually or automatically with the Web-
Proxy Auto-configuration Protocol (WPAD) in the web browser to redirect its traffic to the Web
Security Gateway
‒ Transparent Mode: The Web Cache Control Protocol (WCCP) is used between the Web Security
Gateway and a network or security device to redirect user traffic to the Web Security Gateway
‒ Load-Balancers: For larger deployments. A Load-Balancer redirects the user traffic to the Web
Security Gateway farms
46

Web Security Gateway – User Authentication
 Organizations typically require users to authenticate to an enterprise directory such as
Active Directory before accessing Internet resources to allow for enforcement of
Acceptable Use Policies per role and to provide auditing for reporting and compliance
purposes
 3 methods can be used to authenticate users:
‒ Basic Browser Authentication: The user is prompted to enter his credentials which can be sent to
Active Directory/LDAP for authentication. Credentials can be cached by the browser to prevent the
user to be prompted in the future. The user’s AD/LDAP attributes are also fetched for authorization
and mapping to Access Policies. Appropriate for BYOD, guests or consultants.
‒ NTLMSSP Browser Authentication: The user’s Windows login credentials are fetched transparently
from the browser using an NTLM challenge-response authentication and sent to Active Directory for
authentication. The user’s AD attributes are also fetched for authorization and mapping to Access
Policies. Appropriate for Windows corporate assets.
‒ Passive Identification: The Web Gateway uses the user’s IP address and sends a request to the
Active Directory/Novell Directory Server that maintains the mapping of usernames/IP addresses seen
when users log in. The Web Gateway then fetches the user’s AD/LDAP attributes for authorization
and mapping to Access Policies. Appropriate for Windows corporate assets.
47

Feature
Win 8
Pro/Enter
prise
Win
RT
Apple
iOS
Android BB7 BB10
Proxy
Configuration
Yes Yes Yes Yes No1 Yes
PAC-WPAD Yes Yes Yes No No Yes
PAC-GPO Yes No No No No No
PAC-MDM3 Yes No Yes No No No
Basic
Authentication
Yes Yes Yes Yes Yes Yes
NTLMSSP Yes Yes
2 Yes2 Yes2 No Yes2
Passive
Identification
Yes No No No No No
Proxy and Authentication Methods Support
1. No support on native browser on Wifi. Supported with the Opera mini-browser and 3rd-party applications (not tested)
2. No Single Sign-On
3. Using the Airwatch MDM. Other MDMs may have different capabilities
48
BRKSEC-3771: Advanced Web Security Deployment with WSA and ASA-CXMore on WSA

Recommendations and Conclusion

 Security policies relative to the use of personal devices in the corporate environment
should be created before a BYOD deployment
 Business units owners should be involved to define the requirements and uses cases
that will drive the architecture of the solution for mobile devices
 User education and awareness is key! A BYOD deployment should include training and
guidelines for users on how to use their personal mobile device to lower the risk of
having their device compromised and exploited
 A private Certification Authority should be considered for deployments requiring
differentiation of access privileges between corporate and personal mobile devices
 Profiling and VPN posture can be used to differentiate mobile devices from
laptops/desktops and are great tools for device identification and inventory
 A Virtual Desktop Infrastructure (VDI) architecture can help reduce the risk of data
leakage and improve the user experience
Deployment Recommendations
50

Don’t forget to activate your Cisco Live Virtual
account for access to all session material,
communities, and on-demand and live
activities throughout the year. Activate your
account at the Cisco booth in the World of
Solutions or visit www.ciscolive.com.
Complete Your Online Session Evaluation
 Give us your feedback and
you could win fabulous prizes.
Winners announced daily.
 Receive 20 Passport points
for each session evaluation
you complete.
 Complete your session evaluation
online now (open a browser
through our wireless network to
access our portal) or visit one of
the Internet stations throughout
the Convention Center.
Note: This slide is now a Layout choice
51

Mobile Devices & BYOD Security – Deployment & Best Practices

Mobile Devices & BYOD Security – Deployment & Best Practices

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Viewers also liked

Viewers also liked (16)

Similar to Mobile Devices & BYOD Security – Deployment & Best Practices

Similar to Mobile Devices & BYOD Security – Deployment & Best Practices (20)

More from Cisco Canada

More from Cisco Canada (20)

Recently uploaded

Recently uploaded (20)

Mobile Devices & BYOD Security – Deployment & Best Practices