I recently wrote about how shockingly simple it turns out to be to install sideloaded iOS apps. As a follow up, I wanted to see how easy it is for companies to block sideloaded apps, as these are a clear threat to the enterprise.
Thankfully, Apple and Google make it pretty easy.
Preventing Android sideloading
For fully managed devices, EMM administrators can easily disable installation from unknown sources through standard restrictions.
For organizations that allow BYOD, there are a couple options. For devices with Work Profiles set up, IT can prevent installation on the work profile itself with the Disallow_Install_Unknown_Sources restriction. Naturally, users will still be able to sideload apps on the personal profile (but corporate apps and data remain secure).
It can still be risky to have sideloaded apps on the device, even if the work profile keeps enterprise data itself encrypted. Thankfully, Google added a device-wide restriction for Android 8.0+ devices with the Google Play app (version 80812500+) through a managed configuration. Jason Bayton has a blog about how to enable this feature through MobileIron Core and Workspace ONE UEM. He’s done some testing, and so far has found that it actually works as far back as Android 7.1.2 (it could potentially work on Android 6.0, he told me; he just hasn't been able to test it yet).
Preventing iOS sideloading
Like Android, Apple has a couple settings that IT can enable via their MDM to prevent the sideloading of apps on iOS devices. The two important settings don’t require the devices be in Supervised mode, either. There is the “Trust new enterprise apps authors” restriction that can prevent (or allow if you have in-house apps) the running of sideloaded apps.
The other useful function IT can control is whether to allow users to “Install apps using Apple Configurator and iTunes.” Good to manage, but largely unnecessary if the first function I mentioned is already restricted.
Testing an MDM
Much like I did with downloading and installing sideloaded iOS apps, I also tested out how the MDM features work through a free trial of SimpleMDM. First, I tried to see if the MDM prevented an already-installed app from launching, but alas the app still worked. However, I couldn’t download or install a sideloaded app once SimpleMDM and the requisite policies were set up. The link on the third-party app store no longer worked (once the MDM was disabled, it worked again, so I know it wasn’t an unrelated browser issue randomly cropping up).
I then tried running the app after initially installing it (I removed SimpleMDM first) but not having accepted the developer profile yet. With SimpleMDM installed again, the MDM prevented me from accepting the profile, rendering the app nothing but a useless icon.
Can’t manage devices? Detection still an option
BYOD remains a tricky subject; if your organization allows BYO devices and MDM isn’t an option (or isn’t mandatory), IT can still keep an eye on what apps users are downloading with mobile security products.
Many mobile threat defense vendors offer detection services that will alert IT through a dashboard when a device downloads (or attempts to download) a sideloaded app.
While mobile threat defense solutions can inform IT about the download or installation of third-party apps, they cannot stop it, you’ll still need an EMM or MDM in place. IT could also try a sternly worded letter to the user(s), as a fall-back option.
On a side note, this brings up some policy questions companies may have to deal with. Some users might not like having their personal use curtailed; it’s their device, so why shouldn’t they be allowed to download Fortnite on Android if they want to? If no good middle ground between the enterprise and user can be found, perhaps this just means that employees end up with two phones—an idea more companies or IT seem to be coming back around on.