Skip To Content

Mobile implementation guidance

The use of mobile GIS offers tremendous flexibility and provides beneficial functionality as part of an enterprise GIS. Security plays a paramount role in ensuring the confidentiality, integrity, and availability of data is maintained in an evolving mobile environment. This topic describes some best practice recommendations to mitigate against risks specific to mobile as part of an enterprise GIS.

Mobile-based security

General mobile security recommendations and capabilities to improve the security posture of a mobile deployment are listed below. For a comprehensive listing of mobile risks and mitigations, see the OWASP Mobile Top 10.

  • Leverage the use of an Enterprise Mobility Management (EMM) solution
    • Mobile Device Management (MDM)—Enables the centralization and optimization of functionality and security management for mobile. Some capabilities it can include are as follows:
      • Enforcing password policies
      • Device encryption
      • WiFi settings
      • Jailbreak detection
      • Remote wipe
    • Mobile Application Management (MAM)—Enables stricter control, management, and distribution of mobile applications. Some capabilities often included are as follows:
      • Application-level authorization and provisioning
      • Integration with enterprise application store
      • Virtualized containers and appwrapping (sandboxing)
      • Distribution, configuration, and life-cycle management of mobile apps


Authentication involves verifying the credentials in a connection attempt to confirm the identity of the client. Ensure authentication is enabled for accessing GIS services. Specifically for mobile, there are several potential options depending on the capabilities available in your enterprise such as whether a mobile security gateway is present or whether an existing virtual private network (VPN) can be leveraged by mobile devices. These options include the following:

  • Integrated Windows Authentication (IWA)—Using Kerberos (or if unavailable, NTLM), which provides a single-sign on experience to a windows-based environment.
  • Token-based authentication—Using ArcGIS tokens, which provides authentication across the ArcGIS platform.
  • Enterprise logins using SAML 2.0—ArcGIS Online or Portal for ArcGIS enables customers to use SAML 2.0 to provide a web single-sign on experience.


Authorization is the process by which client permissions are verified prior to accessing a resource or performing a specific function. Users should be assigned privileges based on role and the principle of least privilege. For mobile this can be at different levels.

  • Appropriately managing authorization within available roles in the ArcGIS platform such as administrator, publisher, and user.
  • At the EMM level, using coarse grained application-level authorization and provisioning.


Encryption is the process of transforming data so that it is unreadable by those without access to a decryption key.

  • Encrypt data-in-transit requiring HTTPS across your enterprise GIS.
  • Encrypt data-on-rest on the mobile device. This can be technically enforced by using:

Logging and auditing

Logging involves recording events of interest from a system. Auditing is the practice of inspecting those logs to ensure the system is functioning desirably or to answer a specific question about a particular transaction that occurred. Logging and auditing can be facilitated at the following levels for mobile:

  • At the device level, as facilitated by the Enterprise Mobility Management solution
  • At the application level, by logging specific user transactions

These results should be fed into a corporate Security Information and Event Management (SIEM) solution to facilitate automatic correlation of the log data to aid in the detection of malicious activity.


Hardening is the process of securely configuring systems to mitigate as many security risks as possible. The attack surface can be minimized for mobile deployments by:

  • Using a Mobile Application Management (MAM) solution to restrict applications and enable appwrapping (containerization of apps).
  • Hardening server endpoints.
    • Server-side security is identified as the number one mobile risk according to the OWASP Mobile Top 10.
    • Follow standard server hardening recommendations that align with industry best practices.