{"description": "Mobile techniques mitigated by Enterprise Policy, ATT&CK mitigation M1012 (v1.0)", "name": "Enterprise Policy (M1012)", "domain": "mobile-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1517", "comment": "On Android devices with a work profile, the `DevicePolicyManager.setPermittedCrossProfileNotificationListeners` method can be used to manage the list of applications running within the personal profile that can access notifications generated within the work profile. This policy would not affect notifications generated by the rest of the device. The `DevicePolicyManager.setApplicationHidden` method can be used to disable notification access for unwanted applications, but this method would also block that entire application from running.(Citation: Android Notification Listeners) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1661", "comment": "Enterprises can provision policies to mobile devices for application allow-listing, ensuring only approved applications are installed onto mobile devices.  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1521", "showSubtechniques": true}, {"techniqueID": "T1521.003", "comment": "Certain enterprise policies can be applied to prevent users from adding certificates to the device and to prevent applications from being able to install their own certificates. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1428", "comment": "Configuration of per-app VPN policies instead of device-wide VPN can restrict access to internal enterprise resource access via VPN to only enterprise-approved applications", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1629", "comment": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1629.001", "comment": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417", "comment": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards) An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417.001", "comment": "When using Samsung Knox, third-party keyboards must be explicitly added to an allow list in order to be available to the end-user.(Citation: Samsung Keyboards)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1417.002", "comment": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1516", "comment": "An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features.", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1430", "comment": "If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device\u2019s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1430.001", "comment": "If devices are enrolled using Apple User Enrollment or using a profile owner enrollment mode for Android, device controls prevent the enterprise from accessing the device\u2019s physical location. This is typically used for a Bring Your Own Device (BYOD) deployment. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1461", "comment": "Enterprises can provision policies to mobile devices that require a minimum complexity (length, character requirements, etc.) for the device passcode, and cause the device to wipe all data if an incorrect passcode is entered too many times. Both policies would mitigate brute-force, guessing, or shoulder surfing of the device passcode. Enterprises can also provision policies to disable biometric authentication, however, biometric authentication can help make using a longer, more complex passcode more practical because it does not need to be entered as frequently. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1663", "comment": "When devices are enrolled in an EMM/MDM using device owner (iOS) or fully managed (Android) mode, the EMM/MDM can collect a list of installed applications on the device. An administrator can then act on, for example blocking, specific remote access applications from being installed on managed devices. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1458", "comment": "Enterprise policies should prevent enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development).", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1513", "comment": "Enterprise policies should block access to the Android Debug Bridge (ADB) by preventing users from enabling USB debugging on Android devices unless specifically needed (e.g., if the device is used for application development). An EMM/MDM can use the Android `DevicePolicyManager.setPermittedAccessibilityServices` method to set an explicit list of applications that are allowed to use Android's accessibility features. ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1451", "comment": "Enterprises should monitor for SIM card changes on the Enterprise Mobility Management (EMM) or the Mobile Device Management (MDM).  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1632", "comment": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1632.001", "comment": "On iOS, the `allowEnterpriseAppTrust` and `allowEnterpriseAppTrustModification` configuration profile restrictions can be used to prevent users from installing apps signed using enterprise distribution keys. ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "mitigated by Enterprise Policy", "color": "#66b1ff"}]}