Compromised Device Overview


Mobile devices allow constant communication and access to enterprise content on the go. While mobile devices keep vital business information flowing, malware and corrupted content can just as easily be introduced into your network. Given these potential security threats, your Mobile Device Management (MDM) strategy should be prepared for any challenge. One such security challenge is the presence of a compromised device in your mobile fleet.



Compromised devices include “jailbroken” iOS and “rooted” Android devices that a user has actively altered from manufacturer presets. These devices strip away integral security settings and may introduce malware in your network and access your enterprise resources. In an MDM environment, the overall chain is only as strong as its weakest link. A single compromised device could leak sensitive information or corrupt your servers. Monitoring and detecting compromised devices becomes even trickier in a Bring Your Own Device (BYOD) environment, with varying versions of devices and operating systems. Compromised devices are a major security concern for an enterprise and should be tackled immediately.

Jailbroken and rooted devices surrender basic safeguards, making them vulnerable entry points for undesired activity, such as:

  • Password & Identity Theft: Unencrypted usernames and passwords are easily collected and used to go deeper into sensitive areas or assume company identity.
  • Data Interception: Sent and received communication is in plain view, unprotected by normal security measures.
  • Virus Infiltration: An unguarded network is a sitting duck for virus and malware intrusion, potentially making your company’s data corrupted and unrecoverable.

The Challenge of Detection

Devices running on different platforms respond differently towards compromised detection. For example, iOS 7+ devices support background checks but may carry additional limitations. Android devices, on the other hand, allow for background checks to happen without any restrictions or limitations. AirWatch’s solution to this problem ensures detection across multiple devices and operating systems.

Note: The AirWatch Agent determines the compromised status of a device through a variety of proprietary mechanisms and reports this status to the Console. Some behavior may be automatically initiated based on a change of this status from Not Compromised to Compromised. Due to the security risk of a possible Device Root mechanism that may attempt to falsify the status being reported, once a status of Compromised is evaluated, all future statuses are ignored. This behavior is designed specifically to ensure the strongest security of the Enterprise data assigned to the user of the device and will not be changed.

AirWatch Approach

To deal with such variations, AirWatch has developed a unique multi-tiered approach to compromised device detection. Refer to the below table to understand the limitation and capabilities of iOS and Android platforms.

Platform Capabilities




Agent Enrollment

Compromised status detected during enrollment.

Compromised status detected during enrollment.

Background Check

For devices running iOS 7 and higher, background checks are available using AirWatch MDM Agent.

Allows background detection.

On-Demand Checks

Available using scheduled APNs messaging:

- On launch of any apps using the AirWatch SDK

Available using GCM/AWCM messaging:

- On launch of any apps using the AirWatch SDK

Compliance Engine

Automated remediation actions when compromised device detected or status is out-of-date.

Automated remediation actions when compromised device detected or status is out-of-date.

Detection built into enterprise apps

AirWatch SDK available to embed compromised detection logic within your enterprise apps.

AirWatch App Wrapping available to enforce compromised detection in your wrapped applications.

AirWatch App Wrapping available to enforce compromised detection in your wrapped applications.

Note: For devices running iOS 6 and lower that can access a cellular connection, background checks available using AirWatch MDM Agent if GPS tracking is enabled. For devices running iOS 6 and lower that may only access a Wi-Fi connection, background checks available using AirWatch SDK embedded in internal apps.


Detecting Compromised Devices with AirWatch

AirWatch’s solution spans the entire life of an enrolled device, locking out uninvited devices and severing ties with compromised or non-compliant devices. Our proprietary detection algorithms constantly undergo penetration testing and Research & Development based on new operating systems, ensuring the most advanced detection capabilities possible. This multi-tiered detection approach for compromised devices consists of the following:

Agent Enrollment

AirWatch’s first line of defense against unwanted devices starts at enrollment. Configure compliance settings and detect compromised devices before allowing entry to a device. Require all devices to comply with security settings or easily install profiles for the user. Security compliance detection varies based on the type of enrollment:

  • Agent-based - iOS or Android devices can enroll with the AirWatch MDM Agent downloaded from the iTunes app store or the Google Play store respectively. Once Agent is installed, the agent checks for the status of the device, the device then sends the information to the server as per the time interval set on the AirWatch Admin Console.
  • Web-based - Currently, iOS devices are the only devices that support web-based enrollment with the default Web browser on the device using the enrollment URL. To detect the status of such devices, any of the AirWatch SDK embedded apps should be installed on the device, such as the AirWatch MDM Agent, AirWatch Browser, AirWatch Secure Content Locker, or an SDK-enabled enterprise app.

For more information comparing the various enrollment approaches, see the iOS platform guide.

Background Checks

Once the device is enrolled, keep track of its compliance. The AirWatch MDM Agent provides ongoing background checks for compromised status for all Android devices and newer versions of the iOS operating system (iOS 7+) with access to a cellular network.

Specifically available to iOS 7 devices, you can take advantage of AirWatch Agent-based features including:

  • Background App Refresh – AirWatch provides a means to set interval-based collection and transmission of device information entirely through the AirWatch Agent. In this case, you can send a time parameter to the device designating how often the AirWatch Agent should be launched, at a minimum. Enable this setting by navigating to Devices > Settings > Apple > Apple iOS > Agent Settings in the AirWatch Admin Console. From this page, click Background App Refresh and configure the available options. Set the Minimum Refresh Interval and set the Agent to only check in if the device is connected to a Wi-Fi network. Setting the Minimum Refresh Interval means the device will attempt to send device information to the MDM server no more than once in the allotted minimum.
  • Silent APNs – AirWatch automatically requests background checks via silent APNs on a regular basis. In this instance, the AirWatch Admin Console sends a notification to the device requesting compromised status back to the AirWatch server. On the device, Push Notifications must be turned on for the AirWatch Agent.
    You can also manually run a query by navigating to the Device Details page for a specific device and click More > Query > AirWatch MDM Agent, as seen below. This query will only appear if the required version of the AirWatch Agent is installed on the device.

Note: Both of these iOS 7-specific Background Check features require AirWatch Agent v4.9 and higher. Additionally, the AirWatch Agent cannot be in an Inactive state. It must be Active, Suspended or Background. If the application is manually closed, background checks will not resume until the application is opened by the user again.

Additionally, using the compromised detection functionality in the AirWatch SDK, you can tie into this backgrounding logic in your internal application to accomplish background jailbreak detection.

App-Initiated Checks

Establish detection checkpoints for enterprise information and AirWatch feature usage. When a device launches the AirWatch Secure Content Locker, the AirWatch Browser, or the AirWatch MDM Agent, the detection system automatically verifies compliance status, adding an additional wall of protection to your information.

Enable your wrapped apps for iOS and Android with compromised protection. Simply enable the setting from the Settings and Policies page (Groups & Settings > All Settings >  Apps > Settings and Policies > Security Policies) along with other settings for your wrapped apps and assign the profile to your wrapped app. For more information and step-by-step instructions, please see the AirWatch App Wrapping Guide.

Enable your SDK apps for iOS with compromised detection. Starting with the iOS SDK v.3.2 you can check the compromised status of the device directly in your application, whether the device is online or offline. Your application can use only this function if the device has run a Beacon call successfully at least once in the past. For more information and sample code, please see the AirWatch iOS SDK Guide.

Compliance Engine

Once AirWatch detects compromised or non-compliant devices, the compliance engine quickly takes action on those devices based on the device policy set by the administrator on the console. AirWatch provides flexibility to the administrator to require the initial device status as well as set the time interval frequency of the compliance engine.

Detection Built Into Enterprise Apps

Rather than installing the AirWatch Agent to access the SDK, build the AirWatch SDK into your internal apps. The SDK comes with key features of MDM (which are outlined in our complete SDK Profile), including jailbreak and root detection that constantly scans for compliance. Commonly run Enterprise Apps that are pushed down to a device will run detection scans more frequently, so you’ll catch compromised devices sooner.

An administrator can then specify the actions to be taken for an app installed on the compromised device in the Admin Console. For example, if a device is found to be compromised, the administrator can apply the following actions:

  • Send user warning message
  • Lock user out of device
  • Wipe application and enterprise data
  • Restrict access


Enforcing and Monitoring Compromised Devices

Enforce compliance policies to monitor the compromised status of iOS and Android devices. The AirWatch Admin Console furnishes the administrator with tools to keep the system alert and secured.

Note: Compromised device detection for Windows Phone devices is unnecessary, as there are no known jailbreaks/roots due to the OS's UEFI and Secure Boot processes. 

Compliance Engine

The Compliance Engine serves as a security checkpoint, automatically locking out or taking additional action on devices or users. Based on the compliance rules set by the administrator for a device, the compliance engine can detect if a device is non-complaint and take defined actions on it. These rules and actions can be defined in the AirWatch Admin Console.

Once the rules and actions are established, the Compliance Engine takes care of the rest. Remediation is automated. If a scan uncovers a compromised device, the system runs through preset warnings and escalated actions. Administrators aren’t forced to address each instance as they’re found.

However, the Admin Console does enable self-service for compliance protocol. Administrators can wipe a device and send an email or SMS message to the user explaining how and why their device is out of compliance, without the user having to contact the administrator.

With the time saved by the Compliance Engine managing devices, Administrators can review weekly or monthly compliance reports to understand repeat offenders.

Last Compromised Scan compliance

The Last Compromised Scan compliance allows the administrator to set the time interval within which the agent should be performing the device scan. This ensures that if AirWatch has not received a compliance status from the device for a certain amount of time, precautionary measures can be taken.

Compromised Status compliance

The Compromised Status compliance rule allows the administrator to setup actions for a compromised device.

For the above two compliance rules, the following actions can be applied:

  • Notify: Notifying the user by sending SMS, Email, and Push Notifications.
  • Application:  Blocking or removing few or all the managed apps.
  • Command: Performing Enterprise Wipe or requesting for a device check in.
  • Profile: Blocking or removing all profiles or particular profile type or a particular profile.

Device Control Panel

Administrators can view the summary of the devices enrolled. The summary includes the security details informing the administrator whether compromised detection has been done on the device or not. If the device is not compromised, green check mark is shown.

Visualize Device Compliance

Your Dashboard provides a graphical representation of the percentage of compromised devices enrolled in a organization group. This gives the administrator a high level view of the compromised devices and helps in keeping track of such devices.

Run Scheduled or On-Demand Compliance Reports

The AirWatch Admin Console also comes with more than 100 standard reports, including a list of Compliance Reports that can run automatically at scheduled intervals or generated on-demand. Quickly view any non-compliant devices in your entire fleet or in specific organization groups. Isolate offending devices for blacklisted apps, weak passcode settings, and overall security compliance. Compliance reports allow a birds-eye view of compromised or non-compliant devices in your system.



Secured MDM is an ever growing need and thus, AirWatch takes a step ahead in that direction by offering unparalleled solution that provides and arms you to detect security threats such as compromised devices. AirWatch’s unique multi-tier detection solution has been designed to be effective on all device platforms and also provides flexibility to take required actions on the detected devices.  All the above ingredients of the detection solution make AirWatch an effective solution to keep your enterprise secured, smooth, and frictionless.

Other Languages: 日本語

Have more questions? Submit a request


Article is closed for comments.