From Microsoft Windows 10 Mobile Security Technical Implementation Guide
Part of PP-MDF-201008
Associated with: CCI-000062 CCI-000366
Many mobile devices display notifications on the lock screen so that users can obtain relevant information in a timely manner without having to frequently unlock the phone to determine if there are new notifications. However, in many cases, these notifications can contain sensitive information. When they are available on the lock screen, an adversary can see them merely by being in close physical proximity to the device. Configuring the MOS to not send notifications to the lock screen mitigates this risk.
Review Windows 10 Mobile configuration settings to determine if the MOS displays notifications on the lock screen. If feasible, use a spare device and configure it for notifications on common triggers such as calendar appointments. This validation procedure is performed on both the MDM administration console and the Windows 10 Mobile device. It assumes you have an existing device timeout policy in place that will lock the device after a certain period. On the MDM administration console: 1. Ask the MDM administrator to verify the phone compliance policy. 2. Find the setting for "allow Action Center notifications". 3. Verify that setting restriction is turned off/disallowed. On the Windows 10 Mobile device: 1. If On, tap the power button to turn the screen off otherwise leave the screen off until the timeout period passes. The device could also be powered off instead. 2. Press the power button to turn on the screen. 3. The lock screen background screen should appear. Swipe a finger from the very top of the screen to bring up the action center. 4. Verify that when the action center appears that that the only thing visible are the 4 configurable settings buttons along with the "all settings" button. If an MDM policy for "allow Action Center notifications" is not set to turned off/disallowed or if on the Windows 10 Mobile device any notifications for various services like email show up under the settings buttons, this is a finding.
Configure the MDM system to require the "allow Action Center notifications" policy to be disabled for Windows 10 Mobile devices. Deploy the MDM policy on managed devices.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer