Certifications:

ISO/IEC 27001:2013

42Gears has been certified by the global Information Security Management System (ISMS) certification, ISO/IEC 27001. ISMS is a framework of procedures and policies that includes all technical, legal, and physical controls involved in a company’s information risk management process.

Download ISO 27001 Certificate

Benefits of ISO 27001:

• Compliance with commercial, contractual, and legal responsibilities
• Improving processes and strategies
• Preventing fines and loss of reputation
• Retaining customers and winning new businesses

Information Commissioner’s Office

The Information Commissioner’s Office is an independent authority to uphold information rights in the interest of the public and data privacy for individuals in the UK.
The Data Protection Regulations 2018 requires organisations who process Personal Information to register with Information Commissioner’s Office

You may view 42Gears ICO registration here.

SOC 2 Type II Report

A SOC 2 Type II audit reports on controls at a service organization that are relevant to security, availability, processing integrity, confidentiality, and privacy. Conducted by an independent service auditor, this audit evaluates the design, implementation, and effectiveness of the controls 42Gears has put in place for its products SureMDM, SureLock, SureFox, SureVideo, and AstroContacts.

During the audit period, tests of controls were performed on controls as they existed and were applied to those controls relating to in-scope trust services criteria. The audit covered all the controls pertaining to the confidentiality, integrity, and availability of 42Gears. The report inspires trust and confidence in the company by showing that it is committed to the security of customer data.

A copy of the 42Gears SOC 2 Type II report is available under NDA. To get yours, please send a mail to sales@42gears.com.

Cyber Essentials

Cyber Essentials is a UK Government backed and industry supported scheme which provides a clear statement of basic controls that organizations should have in place to mitigate the risk from a wide range of Cyber threats. This certification assures customers that 42Gears has an understanding of the cyber security level and work towards securing the IT against cyber attack.

You may download our current certification here.

General Data Protection Regulation (GDPR)

The European Union (EU) General Data Protection Regulation (GDPR), enforceable as of May 25, 2018, imposes additional requirements upon companies to enhance the protection of personal data of EU residents. 42Gears Mobility Systems has a dedicated, core-functional team overseeing 42Gears‘ GDPR readiness. We discuss our efforts and commitment to GDPR here.

California Consumer Privacy Act (CCPA)

If You are a California resident, You are entitled to certain rights with respect to personal information that We collect about You. Learn more about these rights and how to exercise them in our California Privacy Notice.

The Consensus Assessments Initiative Questionnaire (CAIQ) is a series of comprehensive questions designed by Cloud Security Alliance (CSA) to provide an insight to cloud service consumers to assess the security, privacy ,and compliance processes of a cloud service provider.

42Gears team has compiled detailed responses to over 200 items in the assessment for our SureMDM Product, as per the respective domains and successfully completed Self Assessment for the cloud services.

Download the CSA STAR Self-Assessment from CSA STAR Registry for 42Gears Mobility Systems Pvt Ltd.

We capture and store the following information through our products to help our customers meet their device management objectives.

SureMDM

• • Device Details– SureMDM collects Android_ID, device make, model, OS and OS version, timezone, IP address, MAC address, mobile carrier information, etc. This information is collected to identify duplicate enrollments and filter out apps that are not compatible with the Enterprise Store.
  • Battery Status and Data Usage– This information is collected so that IT admins can view Charging Status in the Device Info panel and Data Usage on the Dashboard. Admins can check such details and act on them if the figures go below or above defined thresholds (there is an option for IT admins to get notified if values cross set thresholds).
  • Information Collected for Company Owned Mobile Devices– SureMDM stores inventory information for each of the mobile devices managed. The following information is collected  for each company owned mobile device:
    1. Hardware information, including UDID, SIM serial number, IMEI, IMEI2, MAC address, model, brand, storage information, phone number, address, Bluetooth MAC address, contact name, device local IP address, location (longitude and latitude), etc.
       The main purpose of capturing location details is to ensure that IT admins can track business devices (so it is not misused and corporate data is not leaked, in case the device is lost or stolen). Details like Bluetooth MAC Address, SIM Serial Number, etc. are  mainly captured for inventory management.
    2. Operating system information like version, build number, security patch date, etc. is captured so that IT admins can keep a track and push new updates, if available.
    3. Installed apps
    4. Installed configuration profiles
    5. Information can also be collected using mobile device extension attributes, which are custom fields through which almost any type of data can be collected from company owned devices.

Note: All this data is collected mainly for asset tracking and inventory management. As these details are collected via SIM cards, any attempt to tamper or swap SIM cards can be detected and IT admins can get notified immediately about any non-compliant action. For more info please refer to the 42Gears Privacy Page.

• • Information Collected from Personally-Owned Mobile Devices– SureMDM stores limited details of personally owned mobile devices. The following information can be viewed for each personally-owned mobile device:
    1. Hardware information including UDID, serial number, MAC address, model, IMEI, IMSI,brand, storage information,phone number, address, Bluetooth MAC address, contact name, device local IP address, location (longitude and latitude), etc.
       The main purpose of capturing location details is to ensure that IT admins can track business devices (so it is not misused and corporate data is not leaked, in case the device is lost or stolen). Details like Bluetooth MAC Address, SIM Serial Number, etc. are mainly captured for inventory management.
    2. Operating system information like version, build number, security patch date, etc. is captured so that IT admins can keep a track and push new updates, if available.
    3. Managed apps installed by SureMDM
    4. Configuration profiles installed by SureMDM
    5. Mobile device extension attributes do not apply to personally-owned mobile devices.

This information is collected mainly for asset tracking and inventory management. As data is collected via SIM cards, any attempt to tamper or swap SIM cards can be detected and IT admins can get notified of any non-compliant action. For more info please refer to the 42Gears Privacy Page.

Data collected in MDM: https://www.42gears.com/data-collected-in-mdm/

SureLock

The following information is collected for Android devices:

• Hardware information, including device model, IP address, IMEI, IMEI2, WiFi Mac, Bluetooth Mac, Android ID, Serial Number, and device OS– These details are captured for the purpose of device activation and enabling kiosk lockdown.

The following information is collected for Windows devices:

• Hardware information, including device model, IP address, WiFi Mac, device OS-These details are captured for the purpose of device activation and enabling SureLock.

SureFox

The following information is collected for Android devices:

• Hardware information, including device model, IP address, IMEI, WiFi Mac, Bluetooth Mac, device OS– These details are captured for the purpose of device activation and enabling kiosk lockdown.

SureVideo

The following information is collected for Android devices:

• Hardware information, including device model, IP address, IMEI, WiFi Mac, Bluetooth Mac, device OS– These details are captured for the purpose of device activation and enabling kiosk lockdown.

The following information is collected for Windows devices:

• Hardware information, including device model, IP address, IMEI, WiFi Mac, Bluetooth Mac, device OS– These details are captured for the purpose of device activation and enabling kiosk lockdown.

The following information is collected for iOS devices:

• Hardware information, including device model, IP address, IMEI, WiFi Mac, Bluetooth Mac, device OS– This information is captured for the purpose of activation.

AstroContacts

The following information is collected:

Operating system, device model and serial number

AstroFarm

The following information is collected:

• Details From Phone– Device Platform, Model Name, Device serial number, OS details, Phone details like IMEI, IMSI, ICCID, Network, Phonenumber, Manufacturer name, CPU Details, Battery Details, Browsers available on the device, Display details, Network details.
• Details of a User– Name, Email address.

SureMDM

Android

Following is the list of important permissions SureMDM Nix needs in order to function properly:

• Device Admin– SureMDM Nix asks for Device Admin permission to  tighten security and apply security policies in the future. It is recommended to make Nix the Device Admin so that in future new security policies can be applied seamlessly. For EMM devices, Device Owner permission is mandatory.
• Usage Access– This is mainly used to calculate Mobile Dataconsumption. It keeps a track of data consumption and helps ensure that data connectivity is not misused at any point of time. In case of App Usage, this permission helps to know which application is currently running. This allows IT admins to determine whether the app that is in use is whitelisted or not.
• Ignore Battery Optimization– The main purpose of this is to keep SureMDM Nix running in the foreground so that it does not go offline even when an app is idle for a certain length of time (if SureMDM Nix goes offline, it will make the device go offline and the IT admin will not be able to perform any action).
• Allow Screen Capture– The main purpose of this is to enable  remote management of devices so that IT admins can keep a track of the activities being performed by users on their devices.
• Configure System Permissions– This is required to provide end users with an option to modify settings like system brightness, time zone, font size, etc. based on their requirements.
• Configure Unknown Sources– Once this is enabled, SureMDM Nix allows third-party apps to be installed on the device. This permission seeks to capture user consent for the same.
• Display over other apps– This permission is mandatory for Android 10 devices. It is required to ensure that the notifications for messages or jobs pushed by the IT admin display on top of the app that’s already running on the device.
• Runtime permissions– SureMDM needs the user’s permission to access the Camera, Call Logs, SMS Logs, Contacts, Location, Storage for some functionalities to work. The main purpose of this is to collect data for inventory management and accessing SIM card information so that the IT admin can get notified in case a device is being misused by the user (the camera can be used to take pictures of any suspicious action being performed by the user so that any security concerns can be addressed).

iOS

• Notifications– To receive push notifications and inform the user that jobs/profiles have been successfully applied
• VPN– For network fencing
• Camera– To scan the QR code in order to enroll in a device on the SureMDM console
• Location Access– For geo fencing

macOS

• Location Access– For location tracking
• Accessibility– To allow touch events during remote support sessions
• Files and Folders– To access files during remote support
• Screen recording– For remote support

SureLock

Android

Following is the list of important permissions SureLock needs in order to function properly:

• Set SureLock as Default Launcher– The main purpose of this is to set SureLock as a default launcher.
• Configure Runtime Permissions– Following are the different permissions needed:
  1. Storage- This is required to Write or Read Settings from external storage.
  2. Telephone- This is required to read the IMEI number for activation.
  3. Contacts- This is required for phone settings to block or whitelist phone calls.
  4. SMS- This is required for receiving SMS commands, such as change password.
  5. Camera- This is required to import settings from the QR code.
  6. Location- This is required for driver safety settings.
• Activate Device Admin– This is needed for improve security and to apply security policies in the future. It is recommended to make SureLock the Device Admin so that in future new security policies can be applied seamlessly.
• Enable Samsung KNOX– This permission is specially for Samsung devices. It is required to enable advanced lockdown features like disable power off button, volume button, etc.
• Enable Usage Access– This permission is required to enable the Kiosk mode.
• Configure System Permissions– The main purpose of this is to provide end users with an option to modify settings like system brightness, etc. based on their requirements.
• Enable Notification Access– This permission is required to block notifications and to display badges on apps.
• Enable Display Over Other Apps– This permission is required to enable the power saving settings.
• Enable SureKeyboard Service– The main purpose of this is to provide flexibility to the end users to use SureKeyboard instead of the system keyboard.
• Disable USB Debugging– This permission is intended to disable developer options.
• Disable Automatic Update From Play Store– This setting can be used to disable updates automatically from the Play Store.

SureFox/SureFox Lite

Android

Following is the list of important permissions SureFox needs in order to function properly:

• Configure Runtime Permissions– Following are the different permissions needed:
  1. Storage- This is required to Write or Read Settings from external storage.
  2. Telephone- This is required to read the IMEI number for activation.
  3. Contacts- This is required for disabling automatic updates from the Play Store.
  4. Microphone – This is required for allowing microphone access for allowed websites. SureFox will not have access to the audio allowed nor will it record/collect any audio for its own use.
  5. Camera- This is required to import settings from the QR code.
  6. Location- This is required for allowing location access for allowed websites.
• Activate Device Admin- This is required to improve security and to apply security policies in the future. It is recommended to make SureFox the Device Admin so that in future new security policies can be applied seamlessly. This permission is mandatory for those using Samsung KNOX features.
• Enable Samsung KNOX– This permission is specially required for Samsung devices for enabling advanced lockdown features like disable power off button, volume button, etc.
• Enable Usage Access– This permission is required to enable the Kiosk mode.
• Enable Display Over Other Apps– This permission is required to enable the power saving settings.
• Configure System Permissions– The main purpose of this is to provide end users with an option to modify settings, like screensaver, based on their requirements.

iOS

• Photo Library– To access pictures from Photos
• Photo Library Additions– To save pictures in Photos
• Camera– To scan QR codes
• Location Access– To show location-wise web search data to users in the browser
• Motion– To know the device orientation (landscape/portrait) and measure the speed of the device movement
• Microphone– To use the microphone
• Media Library– To access media files

SureVideo

Android

Following is the list of important permissions SureVideo needs in order to function properly:

• Configure Runtime Permissions– Following are the different permissions needed:
  1. Storage- This is required to access photos, media, and files on your device.
  2. Telephone- This is required to read the IMEI number for activation.
  3. Camera- This is required to import settings from the QR code.
  4. Location- This is required to get the available networks in the Wi-Fi Center plugin.
• Enable Usage Access– This permission is required to enable the Kiosk mode.
• Enable Display Over Other Apps– This permission is required to enable the power saving settings.
• Configure System Permissions– The main purpose of permission is to provide end users with an option to modify settings, like screensaver settings, based on their requirements.

AstroContacts

Following is the list of important permissions AstroContacts needs in order to function properly:

• Contacts– AstroContacts requires these permissions to access the contacts to sync contacts detail from AstroContacts to the local phone book. It’s only one way from AstroContacts to the phone book, the AstroContacts application installed on the device never reports any contacts to the server.
• Camera– AstroContacts needs this permission to allow the user to change the profile picture and scan a QR code to enroll.
• Photos– AstroContacts requires this permission to add the photo to the photo library and later use it as a profile picture.

AstroFarm

Following is the list of important permissions AstroFarm needs in order to function properly:

Normal level Permission

DISABLE_KEYGUARD: It is used for locking and Unlocking the Devices

WAKE_LOCK: It is used to open the lock

INTERNET : It is used for internet connectivity

ACCESS_NETWORK_STATE: This is used to get connection status such as connected– disconnected or roaming

CHANGE_WIFI_STATE: This allows applications to change Wi-Fi connectivity state.

ACCESS_WIFI_STATE: This allows applications to access information about Wi-Fi networks.

DUMP:  It allows an application to retrieve state dump information from system services.

BLUETOOTH: It is used to get bluetooth state

BLUETOOTH_ADMIN: It is used to get bluetooth details and state change

FOREGROUND_SERVICE From android API 28 – It is used to show notification of applications as running in background

MANAGE_ACCOUNTS : It helps to manage the profile such as to add and delete accounts

Dangerous level permissions — Runtime Permission

READ_PHONE_STATE  :  It allows read only access to phone state, including the current cellular network information, the status of any ongoing calls and a list of any Phone Accounts registered on the device.

GET_ACCOUNTS : It allows access to the list of accounts in the Accounts Service. (In device ex: google, dropbox etc.)

WRITE_EXTERNAL_STORAGE  : It allows an application to write to an external storage.

CamLock

Android

Configure Runtime Permissions: Camlock asks the users to grant Location permissions to the application. This permission should be set to “While Using The App” status for the application to function
successfully.

Enable Background Location: This asks the users to grant Location permissions to the application. This permission should be set to “Allow all the time” status.
CAMLOCK requires this permission to enable advanced device management feature to work such as restricting use of camera in a specified location etc.
Note: Show the user consent before showing location runtime permission pop up.

Enable Accessibility Settings: By clicking on this option, the users will be directed to, “Accessibility” section of System settings. Users should select the CamLock Application and grant the Accessibility permissions to prevent the user from revoking the CAMLOCK agent permissions.

Enable Display Over Other Apps: By clicking on this option, the users will be directed to, “Display over other apps” section of System settings. Users should select the CamLock Application and grant the Allow display over other apps permissions to the application for the application to function successfully.

Allow Modification of System Settings: By clicking on this option, the users will be directed to, “Modify system settings” section of System settings. Users should select the CamLock Application and grant the Allow display over other apps permissions to enable read and access system settings.

Disable Multi-users: By clicking on this option, the users will be directed to, “Multi-user screen” in the System settings. Users will need to remove the other users and save the configurations to grant this permission to CamLock.

Disable Secondary Space: By clicking on this option, the users will be directed to, “Secondary space” section of Explore New Features of System Settings section on the device. Users will need to remove the secondary space and save the configurations to grant this permission to CamLock.

Enable Location Service: Clicking on this option should take the user to the Location settings section of System settings. Users should select the CamLock Application and grant the Use Location permissions to the application to configure location to block camera.

42Gears’ system administration team routinely performs security assessments of all live systems. We use third-party auditing tools at regular intervals to ensure that system security is not compromised. Microsoft Baseline Security Analyzer helps identify missing security updates and common security misconfigurations easily. It also determines the efficiency of existing security measures by assessing missing security updates and less-secure security settings within Microsoft Windows, Windows components such as Internet Explorer, IIS web server and products, Microsoft SQL Server, and Microsoft Office macro settings.

Data Center Security

42Gears uses Amazon Web Services (AWS), Google Cloud Platform (GCP) and MongoDB Atlas for hosting the services. These data centres are equipped with many security features, such as security feeds, fencing, security guards, and intrusion detection technology.

Physical and Logical Access Control

In addition to data center security from AWS, GCP and MongoDB Atlas, 42Gears follows standard and strict procedures to secure customer data. We have a dedicated system administration team that takes care of system security. Our servers are administered over a secured network. SSH/RDP is supported by authenticated (2FA) and encrypted remote log-in access by select and authorized 42Gears staff only. Strict firewall policies and audit logs ensure very tight access control.

Server Security

42Gears’ system administration team routinely performs security assessments of all live systems. We make use of third-party auditing tools from time to time to ensure that the system security is not compromised.

Secure Client Installation on Mobile Devices

Common app marketplaces, such as Windows Store, Apple App Store, and Google Play Store have their own security processes and models to ensure secure client installation on mobile devices. 42Gears follows the rules each store has set up for publishing SureMDM agent application, Nix.

Secure Client Communication

42Gears uses Secure Sockets Layer (SSL) to secure communication between endpoints and the MDM server. The endpoints include mobile devices based on platforms such as Android, iOS and Windows. 42Gears SureMDM communicates with iOS devices using the Apple Push Notification Service (APNs). SureMDM uses a certificate to communicate to the Apple MDM services, which the admin must download from the Apple Push Certificates Portal. For Android devices, 42Gears uses Google Cloud Messaging, and for Windows devices, 42Gears uses Windows Push Notification Services (WNS).

Identity and Authentication

1. Device Enrollment Authentication
   • 42Gears SureMDM can integrate with any OAuth endpoint for this authentication. This allows 42Gears to use identity services like ADFS, Azure AD, G Suite, Microsoft 365 for device enrollment.
2. Portal Login Authentication
   • By default, 42Gears SureMDM offers its own indigenous user management. But it can also integrate with any SAML2-based identity service to offer seamless Single Sign-On. Azure AD, Okta and OneLogin are few such identity services.
3. Two-Factor Authentication
   • SureMDM can protect admin accounts from password theft by enabling two-factor authentication for owners and co-account owners through Google Authenticator, email, and/or phone number. Once two-factor authentication is enabled, IT admins will be required to provide an additional form of identity proof while logging in, such as a time-sensitive one-time password (OTP).

Payment

1. Payment Gateways– We work with a few commercial payment gateways, such as PayPal, Stripe, Chargify and BlueSnap. Once customers select a payment gateway, they are transferred to systems that are controlled by these service providers for completing the payment. Such payment gateways render payment services as data controllers and comply with all necessary obligations required for processing data under applicable data protection laws and their respective Privacy Notices. We do not store or collect your payment card details in any manner whatsoever.
2. The payment processors we work with are-
   • Stripe– https://stripe.com/us/privacy
   • PayPal– https://www.paypal.com/en/webapps/mpp/ua/privacy-full
   • Plimu– https://home.bluesnap.com/privacy-policy/

UEM Privacy and Data Protection Overview

Application Security Certification

In order to provide secure and reliable products for our customers, we have established security and data protection as fundamental requirements of our products during their entire life cycles.

Security is a core part of our product development activity. During the development of a new product or feature, we conduct a comprehensive threat and risk analysis, and create a specific security requirement for the product/feature and its integration into a complete solution. During the design phase and before release, we ensure product security by comprehensive testing (vulnerability assessment and penetration tests) using OWASP security standards. All the security updates, patches or upgrades  undergo the same rigorous tests, and are only deployed once they are proven to be secure.

Furthermore, all our products are evaluated annually by third-party vendors to ensure product security by abiding various compliance requirements.

Our applications have undergone an external pen test by CyRAACS, one of the Top 10 Cyber Security companies in India.

Notice:

Disable Support for TLS 1.0 & 1.1

42Gears has upgraded its products to support the latest TLS (Transport Layer Security) versions >=1.2, which is considered the safest and most reliable. 42Gears has stopped supporting TLS 1.0 and TLS 1.1 from December 31, 2021. The major attacks that TLS 1.0 and 1.1 are vulnerable to are POODLE and BEAST.

Disclaimer – All 42Gears products support TLS 1.2 and above. Customers who have disabled TLS 1.0 and TLS 1.1 can opt for customer-specific dedicated or on-premise SureMDM deployment if required.

• Privacy Notice
• Terms of Use
• EULA
  • SureMDM On-Premise
  • SureMDM SaaS
  • SureLock
  • SureFox
  • SureVideo
  • AstroContacts
• Disclaimer

Report Incidents

In case of any suspected security incident, report it to security@42gears.com. Our security management team is committed to supporting you.

Responsible Disclosure

42Gears takes the security of its  systems and data privacy very seriously. We constantly strive to make our systems safe for our customers to use. However, in the rare case that a security researcher or member of the general public discovers a security vulnerability in our systems and responsibly shares the details with us, we appreciate their contribution and work closely with them to address any reported issue with urgency. Further, we are happy to acknowledge their contributions publicly in line with the provisions mentioned herein.

Process to report an issue

• E-mail your findings to security-incidents@42gears.com. Please share your contact information with your mobile number.
• Do provide enough information to reproduce the problem (at least the information mentioned in the table is required), so we can resolve it as quickly as possible.
  

  Title of the Vulnerability
  Technical Severity	CVSS Score
  Vulnerability Details	URL / Location of vulnerability (optional)
  Description:
  Attachments	screenshots, videos, exploit code, Burp requests/responses (attach it in the email)

• Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
• Do not disclose any vulnerabilities found on any public domain or disseminate your findings to any third party unless approved in writing by 42Gears to avoid the legal repercussions.
• Do not use attacks on physical security, social engineering, distributed denial of service, spam, etc.

Acknowledgements

We are not part of a cash/bug bounty program but are happy to issue a certificate of recognition with goodies to individuals who report valid security issues responsibly based on the T&C’s agreed then and help us make 42Gears systems more secure.