Definition – What does Remote Lock mean?
Fundamentally it is a system capability or software solution where an administrator has the ability to remotely lock a device or system. Remote lock features are often part of comprehensive data security management systems that address data breach issues introduced by bring your own device (BYOD) policies or security gaps in distributed company computing networks. Remote Lock can be anything from forcing a reboot, logging out current user sessions, to placing a firmware lock on the device.
DriveStrike explains Remote Lock
So let’s review the various types of lock in more detail, starting with the least aggressive form and working our way up to the most aggressive form of Remote Lock:
- Forced Logout – A forced logout is pretty straightforward, once the command is executed all sessions on the device are logged out and anyone with physical access is required to use established credentials to authenticate or log back in to the device.
- Forced Reboot – Like forced logout, forced reboot is pretty easy to understand – once the command is executed the device is forced to reboot. This is a fairly heavy handed approach since it means any work not saved will be lost and unless you have additional security in place it is much like a forced logout where all you need is the existing credentials on the machine to regain access. That said, if you have a pre-boot passcode, BIOS security setup, or whole drive encryption (FDE) enabled a forced reboot can be very secure and helpful in ensuring data on the device remains well protected.
- Remote Forced Passcode Reset – As you would expect this option remotely changes the credentials for the device and requires anyone using the device to re-authenticate using the newly established credentials. This option is usually deployed when an employee is terminated or quits the company but fails to return company computing devices. This helps to preserve valuable confidential company data while preventing access to the former company insider. This approach also makes it clear to any former employee that tampering with the device is intentional and willful misconduct on their part.
- Remote Firmware Lock – Is an excellent feature that requires a remotely defined PIN code to unlock the hard drive. In this scenario the device cannot be started without the special PIN code and often renders the hardware itself of no value to a thief. Apple deploys this model on the MacBooks and it is very effective. That said, it is important that you encrypt the entire drive because this method does not protect the data on the drive if the drive is removed and docked using an external drive connection to read the drive contents.
DriveStrike Remote Lock by Operating System
- Windows – On Windows devices we recommend using remote lock when you are simply trying to ensure the device users are logged out, we do not yet offer the ability to remotely change the credentials on Windows devices – that feature is planned later in 2019. If you have a pre-boot, BIOS security, or whole drive encryption deployed we suggest using our remote reboot option to generate an effective remote lock. Otherwise we suggest initiating a remote wipe for any suspected lost or stolen device.
- MacBook – For macOS devices a remote lock will effectively reboot the machine and set a firmware passcode that you entered when ordering the remote lock from the DriveStrike Device page. The only way you can use this machine moving forward is to enter the passcode you set within DriveStrike – even if they replace the hard drive. That said, if the existing hard drive is not encrypted the data on that drive is NOT protected from being accessed if the thief removes the drive and connects it to another machine using a drive dock or some other reader. We recommend initiating a remote wipe for any suspected lost or stolen device.
- iOS – On iPhones and iPads a remote lock will only logout the user and require that they enter the passcode – biometrics like fingerprints and facial recognition are not allowed until the user enters the existing passcode. We recommend initiating a remote wipe for any suspected lost or stolen iOS device.
- Android – On Android devices we recommend using remote lock when you are simply trying to ensure the device users are logged out, we can only offer the ability to remotely change the credentials on Android devices using API Level 23 or lower, this is not something we can control since Google is in charge of the available actions. We recommend initiating a remote wipe for any suspected lost or stolen device.
- Linux – On Linux devices we recommend using remote lock when you are simply trying to ensure the device users are logged out, we do not yet offer the ability to remotely change the credentials on Linux devices – that feature is planned later in 2019. If you have a pre-boot, BIOS security, or whole drive encryption deployed we suggest using our remote reboot option to generate an effective remote lock. Otherwise we suggest initiating a remote wipe for any suspected lost or stolen device.
When a remote lock command is executed, the lock command is triggered from a remote system endpoint or control panel. Enterprise lock can be set up in different ways so as to lock all devices within an account.
Device lock is extremely useful when a device or system is being hijacked or an unauthorized access occurs allowing device administrators to easily initiate a device lock within the admin center. You may wonder what is remotely locate and is wipe or erase better? Many business personnel prefer an alternative when dealing with lost devices, known as a remote wipe (data destruction), where information is wiped on the device or system and the device must have software reinstalled or setup. Using remote lock (versus a wipe), those in charge of a system do not automatically lose all of their data but we suggest that a delete data operation is more prudent. Either one of these security features is extremely helpful, when a mobile device is stolen, or when administrators determine that a bad actor is stealing information through a USB flash drive or other resources.
When a device is lost or stolen you want to protect data as quickly and easily as possible so that personal information on mobile phones, tablets, PCs, and laptops is protected by device administrators. Often if your personal data is encrypted a quick wipe can be executed by restoring factory settings many mobile device management and mobile security offerings employ this strategy. If you already have a device manager and mobile device management solution for your Android devices and or iOS devices please make sure you have a good BYOD Policy in place.