Endpoint Security Posture
With Bravas, all your online identities are secured by the trust we can put in your managed devices. Hence, ensuring the security posture matches the risks you are facing is important. As we shared in our vision, we intend to build Bravas as a solution anticipating most needs and helping you to focus on functional needs. Which means some of the security is enforced by Bravas and you cannot disable them. And some are at hand to make it compliant with your market regulations.
What Is Mandatory With Bravas
Currently, Bravas only supports devices considered as assigned devices. Each device is used by a single user on a daily basis (IT access does not count). We do not support devices that are shared (one session used by many operators) or multi-user situations (like a classroom).
In that context, all devices enrolled to Bravas will be required to:
- be encrypted
- and to have a device's passcode
In the future, when we introduce support for shared and multi-user scenarios, we will adapt some of those requirements for those specific contexts. But for assigned devices, passcodes and encryption are mandatory.
What You Can Configure
Passcode policy
Straight out of the box, Bravas requires a simple 6-digit passcode on all devices. You can edit the complexity requirements per kind of device.
Supported kinds of devices are smartphones, tablets and computers. So far, we have not made any distinctions between a laptop and a workstation. And we strive, as much as we can, to not expose differences between managed OS as this will not be scalable for you.
The device's passcode complexity can be set to:
- require more signs
- require the passcode to be alphanumeric
- require the passcode to have non-alphanumeric symbols
- refuse the simple values (repetitive symbols, ascending or descending sequences, etc.)
You can also configure the idle period before a screen lock and the grace period after a screen lock before a passcode are requested to unlock the device.
We currently do not allow a setting enforcing passcode expiration. Passcode expiration is a legacy of behavior that does not contribute positively to your security posture. It is actually proven that password expiration policies lower your security posture by pushing your stakeholder to adopt pattern-based passwords which can be guessed by attackers.
As far as we know, all market regulations have been updated and now agree that passcode expiration is not needed but two-factor authentication is.
By design, all access to Bravas uses two factors:
- having access to a trusted device (enrolled device with a security certificate in a secure enclave or authentication token)
- knowing the passcode of that specific device
Someone with a Mac and an iPhone will not have the same passcode for both. And none of those passcodes are synchronized to any cloud. Which means they cannot be attacked remotely nor brute-forced without physical access to the device.
If you are currently dealing with a security auditor that is not using up-to-date knowledge and wants to give you a penalty for not having periodic passcode renewal, contact us immediately, and we will provide you with all the support needed to defend our position during your audit.
Update policy
To keep your organization secure, it's a requirement nowadays to be up-to-date as much as you can, both in OS and apps perspective.
Apps
By design, Bravas will enforce updates of all managed apps because we cannot guarantee you access to a validated version of an app. Indeed, AppStore-based deployment always deploys the latest version of an app, so even if we do not update already deployed apps, we can not ensure that newly enrolled devices will have the same validated version. Hence, we enforce that all your devices run with the latest version from the AppStore. The same applies for the direct download option where your endpoint will download apps to install from the vendor website, we cannot guarantee long-term access to a specific version and, for now, we do not propose a hosting plan to have your own copy of the installation material.
As an option, we can try to update apps installed by the users that are known by Bravas but not assigned by you. This will contribute to your overall security posture.
OS
The OS update policy offered by Bravas allows you two settings: a holding time for which a newly published software update will not be shown to the user, and an enforcement limit at which all users will be forced to apply the update with a reboot.
By default, Bravas immediately present any new update and enforce it 15 days later.
Data security
Bravas allow you to configure your data loss prevention policy by allowing you to limit the use of external storage.
For mobile devices, you can allow or deny external storage.
For computers, you can also restrict them to read-only access. For macOS, however, this means limiting it to naturally real devices like CD and DVDs and external storage like USB sticks will not be mounted at all.