Skip to main content
Revy's Tech Journey, powered by Revtek
Back to Study
A+ Core 2 · CompTIA 220-1202 V15 · Objective C2-2.8

Given a scenario, apply common methods for securing mobile devices

Drill flashcardsFocused quizBrowse all objectives (sidebar view)

Objective 2.8: Given a scenario, apply common methods for securing mobile devices

Cert: CompTIA A+ Core 2 (220-1202) V15 Domain: 2.0 Security Weight: Part of the 28% Security domain Depth: Given a scenario, apply. The candidate must implement hardening, screen locks, encryption, patching, endpoint security, and MDM-based policies on mobile devices.

What this objective tests

You should know how to harden iOS, iPadOS, and Android devices for business use: device encryption, screen locks, biometric/passcode options, configuration profiles, patch management, endpoint security software, locator/remote-wipe, and the policy framework via MDM.

Key facts

Device encryption:

  • Encrypts data on the device. On by default for modern iOS/iPadOS (since iOS 8) when a passcode is set.
  • Android: encrypted by default since Android 10 (file-based encryption).
  • The passcode/biometric IS the encryption gate; without it, the device can't be unlocked or decrypted.

Screen locks (general):

  • Required for device encryption to be effective. Force lock via MDM policy on corporate devices.
  • Auto-lock timer (e.g., 1-5 minutes idle).

Facial recognition (mobile):

  • iOS Face ID, Android Face Unlock. Camera-based biometric.
  • Strength varies: iOS Face ID uses TrueDepth IR + dot projector (strong). Some Android Face Unlock variants are camera-only (weaker, photo-foolable).

PIN codes (mobile):

  • 4 to 6 digit PIN as alternate unlock. 6+ digit recommended.
  • iOS allows alphanumeric passcodes for stronger lock.

Fingerprint (mobile):

  • Capacitive or ultrasonic sensor. iOS Touch ID, Android fingerprint readers.

Pattern (Android):

  • Connect-the-dots unlock pattern. Weaker than PIN of equivalent length; visible smudges on screen can reveal it.

Swipe (Android):

  • No actual security, just dismisses lock screen. Don't use as primary lock on a business device.

Configuration profiles (iOS/iPadOS) / Work profiles (Android):

  • Pushed via MDM. Configure Wi-Fi, VPN, email, app restrictions, security policies.
  • iOS: signed .mobileconfig files. Android: managed profile alongside personal profile (BYOD).

OS updates (patch management):

  • Apple delivers iOS/iPadOS updates directly to all supported devices. Most patches reach users within days.
  • Android updates flow Google > device vendor > carrier > device. Significant delay on many Android devices.
  • MDM can enforce update compliance ("device must be on iOS X.Y.Z or later").

Application updates:

  • App Store / Play Store push updates. Auto-update on by default usually.
  • Stale apps are an attack surface. Verify update compliance via MDM.

Antivirus / anti-malware (mobile):

  • Less prevalent than on desktops because mobile OSs sandbox apps. Still relevant for enterprise contexts.
  • Examples: Lookout, Wandera, Microsoft Defender for Endpoint mobile.

Content filtering (mobile):

  • DNS-level or proxy-level filtering of accessed content. Common on K-12 student devices and corporate-issued phones.
  • Implemented via MDM policy, DNS service (Cisco Umbrella, Cloudflare for Families), or app-based (Apple Screen Time, Google Family Link).

Locator applications:

  • Find My iPhone (iOS), Find My Device (Android), corporate MDM locator features.
  • Find a lost device or wipe it remotely.

Remote wipes:

  • Trigger a wipe from a console or app to erase device data.
  • Available on Find My, MDM consoles. Corporate phones typically configured to allow remote wipe on first enrollment.

Remote backup applications:

  • iCloud Backup, Google One Backup, third-party (e.g., Acronis Mobile).
  • Pre-loss backup; restore to a new/replacement device.

Failed login attempts restrictions:

  • iOS auto-wipes after 10 failed passcode attempts (when enabled in Settings > Face ID/Touch ID & Passcode).
  • Android lockout escalates: more failed attempts means longer lockout periods, and MDM can enforce wipe-after-N-failures.

MDM (Mobile Device Management):

  • Centralized management of mobile devices: deploy apps, push config, enforce security, monitor compliance, remote actions.
  • Examples: Microsoft Intune, Jamf (Apple-focused), VMware Workspace ONE, Google Endpoint Management, Hexnode, Kandji.

BYOD vs corporate-owned devices:

  • BYOD: employee personal device used for work. Less control; MDM scope limited (work profile or app-level management). Separates corporate data from personal.
  • Corporate-owned: company device dedicated to work. Full MDM control, full security baseline.
  • Hybrid: COPE (corporate-owned, personally enabled), CYOD (choose your own device from approved list).

Profile security requirements:

  • MDM enforces: minimum passcode complexity, device encryption, OS version, no jailbreak/root, attestation.
  • Non-compliant devices can be blocked from accessing corporate resources (conditional access).

Common gotchas

  • No screen lock = no encryption. Device encryption is gated by the passcode. Without one, data is effectively unencrypted.
  • Face Unlock photo bypass. Older/cheaper Android phones with camera-only face unlock can be fooled by a photo. iOS Face ID is more secure.
  • Remote wipe doesn't work on a powered-off device. Wipe queues until the device comes online. Theft + immediate power-off may give time to extract.
  • MDM enrolled but no compliance policy. Enrollment alone doesn't enforce security. Must also configure compliance baseline.
  • BYOD privacy vs work separation. MDM on personal device can see app inventory + location depending on permissions. Use work-profile model (Android) or User Enrollment (iOS) for clearer separation.
  • Patterns visible from screen smudge. Smudge analysis can reveal unlock pattern. PIN/passcode beat patterns.

Real-world context

Mobile security baseline for an SMB:

  1. Pick an MDM (Intune for Microsoft 365 orgs; Jamf for Apple-heavy orgs; Google Endpoint Management for Google Workspace orgs).
  2. Enroll corporate-owned devices fully; enroll BYOD with work profile (Android) or User Enrollment (iOS).
  3. Compliance policy: passcode 6+ digits, encryption on, screen lock at 5 minutes, OS within 1-2 versions of current.
  4. App deployment: push approved apps; restrict App Store/Play Store for high-security contexts.
  5. Conditional access in Microsoft 365 / Google Workspace: block non-compliant devices from accessing corporate email/files.
  6. Lost device procedure: enable Find My + corporate remote wipe; train users to report immediately.

Sources

  • [CompTIA A+ 220-1202 Exam Objectives Version 4.0, Section 2.8](../../../../../../30-RevyTechJourney/CompTIA%20A%2B%20220-1202%20Exam%20Objectives%20%284.0%29.pdf)
  • [Apple: Platform Security Guide](https://support.apple.com/guide/security/welcome/web)
  • [Google: Android Enterprise overview](https://www.android.com/enterprise/)
  • [Microsoft Learn: Intune overview](https://learn.microsoft.com/en-us/mem/intune/fundamentals/what-is-intune)
  • [NIST SP 800-124: Guidelines for Mobile Device Security](https://csrc.nist.gov/publications/detail/sp/800-124/rev-2/final)