Mobilisafe provides control over personal devices without managing them

Last week Gabe and I spoke to Mobilisafe, a Seattle-based startup that does mobile risk management. What is mobile risk management?

Last week Gabe and I spoke to Mobilisafe, a Seattle-based startup that does mobile risk management. What is mobile risk management? For Mobilisafe it means inspecting traffic that flows from mobile devices to corporate applications and using it as a means to control unmanaged BYO mobile devices. does traffic inspection, as a way of controlling unmanaged devices. Their eponymous product is in beta, and today they released an updated report of findings from their trial.

After four months of private beta trials, the report that Mobilisafe released today indicates that about half of the mobile devices discovered in the trial had out of date OSes, causing security concerns. (Big surprise, we know!) Seriously though, the numbers they reported were that 71% of the devices had “high severity operating system and application vulnerabilities” and that 70% of those could be fixed by updating device firmware.

If only all the users would just keep up on their firmware upgrades, there would be no need to worry, right? But since that’s never going to happen, Mobilisafe has technology to make sure that personal devices with out-of-date OSes cannot access sensitive corporate applications.

How Mobilisafe works

The application that Mobilisafe works with is Exchange ActiveSync (EAS). I’ll get to how Mobilisafe does its magic in a little bit, but first, some background on EAS. While EAS has some basic MDM capabilities, it’s a rough tool at best. EAS can specify baseline security requirements for mobile devices, it can be turned on or off, it can wipe devices, and password and encryption requirements can be set. However, there’s not much of a view into the actual device.

This is where Mobilisafe comes in—it sits on an IIS server and watches the EAS traffic in order to learn more about the devices that are accessing each mailbox. Mobilisafe can identify the device, and using information pulled from Active Directory, figure out what user it belongs to.

How does the Mobilisafe agent learn the characteristics of the device? It looks at the characteristics of the actual traffic to and from the device. Some devices actually report lots of information, like their name, and OS version, while other devices have to be watched and compared to known device.

This is where the security part comes in—as we all know, a huge number of security holes could be closed by just keeping devices up to date. The intelligence that Mobilisafe brings is being able to determine which of the devices accessing EAS are out of date. Jailbroken devices often have their own characteristics  that Mobilisafe can recognise, as well.

The crunching of the traffic-watching data happens on Mobilisafe’s servers in the cloud. They have to keep their finger on the pulse of all the latest patches for pretty much any mobile device that has an EAS client. Only the generic info of what the traffic looks like is transmitted off-premise, not the actual content of the EAS messages. The admin console also is in the cloud, and it pulls a just enough information from Active Directory to be able to cross reference devices with users events and create the management interface. 

With better and more complete information about devices that are accessing mailboxes through EAS, administrators can then make decisions about access to EAS for certain users and devices. Mobilisafe is set up to be able to turn off access for particular devices, or instead of just blocking devices entirely, it’s possible to send users an email requesting that they update their device’s OS, or face having it be blocked after a certain period of time. For devices that Mobilisafe can’t identify (they said that there are a few), administrators can request that users self-report their devices.

Mobilisafe for BYOD

The end result is that administrators can achieve a granular level of control over EAS connections to unmanaged devices that is otherwise not possible. For environments that want to go completely unmanaged, Mobilisafe can be a way to ensure compliance to a degree beyond regular EAS capabilities. For environments with managed devices (whether corporate or personal), Mobilisafe would make a good partner, providing a glimpse into non-managed devices, including ones that are accessing EAS from outside of the corporate network.

Mobilisafe is an especially interesting option for controlling personal devices, considering how many of them get plugged into Exchange environments without any management at all.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Hello Jack, thanks again for your posts. Mobilisafe looks like an interesting solution, however I am not pretty sure that mobilsafe can be a real opportunity to embrace BYOD. I thought about two main ideas :

1- EAS is a protocol used to synchronise mobile phones with Microsoft Exchange servers ( mails, calendar,contacts , tasks) , what would happen in the case of enterprises using IBM Lotus ?

2- what happens if an employee disabled his Exchange account (there will be no communication with the Exchange server  => no trafic inspected ) and accessed the enterprise's intranet ?


Thanks Fahad. Mobilisafe only mentions ActiveSync for now, though it seems like much of the IP would be the same for other mail systems.

For your second question, I feel like this is okay. I think of it as enhanced security for a specific application—in this case (EAS) one that happens to be especially vital (almost everyone uses it) and especially vulnerable (people have all sorts of devices plugged into EAS, they're accessing it from outside the corporate network so there's no just block BYODs at that level, and the device OS reaches into mail clients to access contacts). Security around a corporate network to keep unapproved devices off the intranet is a separate issue.


Thanks for helping me cut through the marketing on the web site, Jack! - Is it installed as a man-in-the-middle/proxy ? (Ex: actually hits Mobilisafe who then passes requests to the real EAS service ?)

Seems like a lot of user.agent parsing without a lot of assurance of accuracy. - I'd love to understand how they'd detect something like Exchange Unlock  for jailbroken iOS.