Managing supply chain security when buying smartphones, tablets, laptops and desktop PCs

There are many sourcing options available to organizations when buying mobile devices, including buying directly from the device manufacturer, a mobile network operator, or an independent third party.

When buying from any of these sources, you should consider how threat actors within the supply chain may be able to affect the security of your organization, and what steps - if any - you will take to defend against them.

This article will not help you decide which devices you should buy. We have separate guidance on choosing mobile devices which covers this topic. The goal here is to help you buy devices securely.

Supply chain attacks are rare but not unheard of, and there are sensible steps you can take to minimize your exposure to them. For example, buying devices directly from a reputable vendor is likely to result in a better outcome than sourcing second hand devices from online marketplaces.

If your device is compromised before you have a chance to apply security configurations, it can be very difficult to detect. However, there are some sensible precautions you can take to minimize the likelihood of these attacks succeeding against your organization.

Additionally, most mobile devices now come with options for zero touch enrollment programs such Windows Autopilot and Apple Business Manager. These programs are highly recommended as they both minimize the administrative burden of enrolling new devices, as well as improving the overall security of the enrollment process, by making unenrolled devices secure in transit and reducing the likelihood of manual error. They may also provide additional benefits. For example, on iOS, devices deployed through Apple Business Manager can be prevented from unenrolling from mobile device management.

Use of these programs will often require you to partner with a device supplier who will automatically register newly purchased devices to your organization’s zero touch enrolllment program.

When deciding how to buy devices, you should:

• Consider which zero touch enrollment program(s) you want to use

• Look for manufacturers who have good supply chain security

• Consider which supplier(s) you will buy your devices from. From a security perspective, you may wish to specifically think about:

  • The security reputation of the device supplier

  • If they can supply the range of devices your organization has chosen to use

  • How up to date the devices they supply will be

  • How they will handle returns of faulty devices. For example, you may need to return devices which contain corporate data, so make sure you agree a sanitization process with them

  • If they support your zero-touch enrolllment program(s)

  • At what point they assign devices to you in their supply chain. Some suppliers may use just-in-time manufacturing for large orders and consequently overseas factories may be aware of the end customer for devices. Other suppliers may use domestic storage facilities and therefore provide a more limited opportunity for supply-chain attacks

• How any of your overseas users might source devices while abroad

• How you will distribute devices to your end users. Depending on configuration, devices may be vulnerable if intercepted while being distributed.

We recommend the following steps for purchasing mobile devices within an organization:

• Decide which devices you’re going to use

• Sign up for zero touch enrollment for those devices

• Decide which supplier(s) you will use to buy your devices

• Discuss the security considerations related to the devices you’re going to use with your chosen supplier(s)

• Deploy and test procedures for enrolling new devices into your mobile device management infrastructure

• Develop secure device handling processes for distributing devices to users within your organization

• Where corporately-owned devices are purchased outside of a trusted supplier, securely erase the devices to reduce the risk from supply chain attacks and enroll them manually

• Provide user guidance which informs users how to complete enrollment on their new devices, including:

  • What to expect from the enrollment process, including screenshots

  • When and where to enter their corporate credentials

  • How to update their new device - it will likely be out of date by the time it is enrolled

Using a zero-touch enrollment program typically means that the end customer of a device is known when the device is being manufactured - which will likely be overseas, whereas without zero-touch enrollment the devices may not be assigned to the customer until they have reached a local storage and distribution facility. If this causes concerns for your organization then you may wish to not use the various zero-touch enrollment programs.