Nessus can currently integrate Exchange 2010 or later (via Active Directory), as well as the Apple Profile Manager as shipped with Mac OS X 10.7 server, and Good device management.
Note: Devices that use IMAP instead of Exchange will not be detected.
The mobile device plugins announced on July 19, 2012, tap into Exchange and Apple Profile Manager to gather information about Android and iOS-based mobile devices used within an organization. When interfacing with Exchange, the plugins will gather the phone type, serial number, and the version of the operating system installed. Interfacing with Profile Manager, the plugins will fetch that info as well as a list of installed applications (apps) and determine whether a phone is "jailbroken". As of June, 2013, Nessus can integrate with Good mobile management technology to query for phone versions and more.
If the same device is managed by Profile Manager and checks emails via Exchange, will the phone appear twice in the Nessus report?
No. When one device accesses multiple servers that Nessus interacts with, the device scan information is consolidated in the report. Such cases also potentially allow Nessus to do more thorough checks.
Nessus installations come with a plugin that can help diagnose/debug the issue. Navigate to the "plugins" directory and run the following command and follow the instructions:
Unix installations: /opt/nessus/lib/nessus/plugins
Windows installations: C:\Program Files\Tenable\Nessus\nessus\plugins
Yes. Tenable intends to add more MDMs to support a wider variety of mobile devices.
I have multiple domains and Active Directory (AD) servers, yet the "Mobile" tab only allows me to select one. How can Nessus handle my setup?
Click on the "Mobile" tab and create a policy with the first AD controller you want to receive information from. Once the policy is saved, navigate to the "Policies" tab and edit the newly created "Mobile Devices Audit" policy. Go to Preferences -> ADSI Settings and there are fields to enter additional domains.
Does an administrator need to do anything special on company mobile devices for them to appear in the Nessus results?
Exchange: If your organization’s users are retrieving emails using ActiveSync, nothing needs to be changed on the phones.
Profile Manager: The devices must be properly enrolled with the MDM.
A. This option tells Profile Manager to send a Push Notification to each phone that is enrolled in order to force them to report their newest information to the server. By default, iOS devices only report such data when Profile Manager asks them to. Therefore, you should enable this option to make sure the device data is up-to-date.
The sister option of that setting is "Device Update Timeout (minutes)", which specifies how long the scanner should wait for the phones to react to the push notification, in order to update their data.
Exchange does not support a "de-enrollment" process, so data about phones never decays, even years after you stopped using the device. Nessus will report information about phones that have been used during the last 3 months. Phones that have not been used for that period are considered decommissioned or inactive, and will not show up in the report.
Mobile devices are difficult to scan for a variety of reasons:
- They can be on any network (3G, 4G, your LAN, or a guest access point)
- Network-wise, the device is "off" most of the time, so as to save battery. They only wake up every now and then to poll email.
- They do not have any service that allows granular identification of their OSes
Android devices prior to 2.3 do not announce their version, so they do not show up in the report. Tenable is currently researching the best method for identifying and reporting these devices.