Does jailbreaking or rooting devices, and BYOD mix?

The short answer is no. The slightly longer answer... definitely not.

Time to answer a timely enterprise question in today's Hardware 2.0 mailbox.

I read today that Evasi0n has been used to jailbreak over 7 million iOS devices over the past few days, making it the most popular jailbreak yet. Our company has embraced bring-your-own-device (BYOD) but at present we don't have a policy prohibiting jailbroken and rooted devices. Should we?

Yes. That was a relatively easy answer, but there is a very good reason to it.


I'm a big fan of jailbreaking iOS devices and rooting Android devices. I believe that people should have the freedom to do whatever they want with the devices they've bought. However, there's one exception to this rule, and that's BYOD devices.

Read this

Inside the iOS 6.1 jailbreak; how evad3rs cracked the Apple code

There are numerous exploit mitigations in iOS 6.1 that make jailbreaking incredibly difficult, including sandboxing, ASLR, and code signature requirements, but that didn't stop four developers from defeating all of them.

Read More

Jailbreaking and rooting bypasses the device's security mechanisms, allowing any app to be installed on the device. And all it takes is a single rogue app behind a corporate firewall to allow the bad guys into your corporate digital fortress.

At the Gartner 2012 security and risk management summit Lawrence Pingree said, "quiet, unassuming smartphone users may actually be dangerous hackers, putting their companies' security in jeopardy without even knowing it."

Pingree went on to say that jailbroken and rooted devices posed a very significant risk and should be banned from the enterprise network altogether. 

"If we want to drive home anything here," Pingree said, "it is to prevent jailbreaking at any cost."

Enforce a no jailbreaking or rooting policy with mobile device management (MDM) software. Any decent package will automatically exile any devices that have been tampered with.

It may come across as extreme—especially if you're already allowing workers to make use compromised devices—but it's the only way to be absolutely sure.