Using BigFix to secure inherently insecure Android devices?

Posted by PassiveIllustration@reddit | sysadmin | View on Reddit | 9 comments

Hello, I am wondering if anyone has had any experiencing using BigFix to secure inherently insecure Android devices? To be a bit more specific this device: https://supernote.com/products/supernote-manta?variant=45959389348076 It's a highly insecure E-Ink tablet that runs android. Some upper level execs want it and I've made note that servers are in China, the device doesn't have encryption, and their privacy policy is maybe the worst I've ever seen. I haven't done much work with Android devices so I'm wondering if anyone has had any similar experiences and if it's even worth it.

[-]

SolidKnight@reddit

I would try to get them to outline what they want and let you pick a product.

[-]

Mulan-sn@reddit

Thank you so much for sharing these concerns. they're important for any enterprise considering new tools.

You're not locked into China server. During setup, you can pick a server location for the official Supernote Cloud based on your actual physical location. In addition, Supernote offers Private Cloud sync. You can host your own server (in your own data center or a trusted cloud) and have full control over where your data is stored.
Encryption: We do plan to add file encryption on the device. Please kindly stay tuned.
Privacy policy: Would you kindly check with us what part of our privacy policy doesn't make sense to you?
Android insecurity: Supernote runs a stripped‑down Android. The attack surface is minimal. It's far less vulnerable than any standard Android phone.
BigFix: We tested MDM on our device. Unfortunately, it doesn't fully work. But if executives want a distraction‑free, durable, long‑battery writing tool and you can accept Private Cloud, it's a great fit.

Please feel free to contact us should you need any further assistance.

[-]

Helpjuice@reddit

Not worth it, shut it down at the core, unless it has the basics it should be a no go and will put your entire company out of compliance due to extremely poor cyber hygiene. Something without modern encryption, a horrible privacy policy and sucks all your data up to China is a bad start that cannot be reversed once you start it.

If this has no real business you move on and do not provide any support for it.

[-]

PassiveIllustration@reddit (OP)

That's what I said. I made it clear that it had some of the worst security I've ever seen on a device in my life but they still want to move forward so I'm looking at some compensating controls.

[-]

NH_shitbags@reddit

Why are they so fixated on these devices? Why not others? Are you able to suggest other e-ink tablets which may be a better fit?

[-]

PassiveIllustration@reddit (OP)

I know it's insane. I mean an iPad is like the same price and is a million times more secure and we have tools to manage it already.

[-]

JwCS8pjrh3QBWfL@reddit

Maybe have them look at reMarkable? Those have gotten pretty popular and I haven't heard similar security issues.

[-]

Helpjuice@reddit

Sounds like they want the e-ink capability, but the device is unacceptable to be on a corporate network used for processing or storing anything business related.

[-]

Helpjuice@reddit

There are no compensating controls, drop it and move on. Allowing it is asking for trouble as the firmware is more than likely also insecure. If they want to use it for personal use off the company network to compromise their own personal stuff they can do that on their own, but it should be prohibited to have any non modern, conforming devices at all on the network.