Enforce Mobile Connections

CyberSecure Canada Section 6.1.3.2(e) requires organizations to technically enforce rules that prevent users from auto-connecting to open networks, avoid untrusted Wi-Fi, limit Bluetooth/NFC for sensitive data, and use secure connectivity like VPNs. If technical enforcement is not possible, a documented rationale must be provided.

Organizations can use Mobile Device Management (MDM) platforms to push configuration profiles that disable the auto-join feature for unknown or open Wi-Fi networks. This ensures the device only connects to explicitly approved and secured corporate networks.

Administrators can deploy an always-on VPN payload via their MDM solution. This forces all internet traffic or specific corporate app traffic from the mobile device to route through an encrypted VPN tunnel, satisfying the secure connectivity requirement.

MDM platforms offer Wi-Fi restriction payloads where administrators can whitelist approved corporate network SSIDs. Additionally, settings can be applied to block users from manually adding new Wi-Fi networks or connecting to captive portals commonly found on public hotspots.

Yes, disabling automatic Wi-Fi scanning and auto-connect features mitigates the risk of the device silently joining a malicious or rogue access point. This configuration should be centrally managed and enforced across the mobile fleet.

Auditors will look for screenshots or configuration exports from MDM systems showing that auto-join is disabled, VPNs are mandated, and network restrictions are active. If technical enforcement is absent, they will require a formally documented and management-approved risk rationale. Tools like WatchDog Security's Compliance Center can store this evidence, link it to CSC-06-011, and track review dates and ownership.

For BYOD deployments, organizations should use app containerization or workspace solutions that enforce a micro-VPN specifically for corporate data. If device-level Wi-Fi restrictions cannot be strictly applied to personal devices, this accepted risk must be formally documented as the rationale.

Documenting a rationale is acceptable when technical enforcement would break critical business functionality, or when managing personal BYOD devices restricts the organization's ability to lock down hardware network settings. The rationale must be formally assessed and signed by senior leadership. Tools like WatchDog Security's Risk Register can capture the exception scope, residual risk, and approval workflow so the rationale remains auditable over time.

Practical baselines include using Apple Configurator or Android Enterprise profiles to disable 'Ask to Join Networks', pushing a pre-configured list of trusted WPA2/WPA Enterprise networks, and deploying a mandatory VPN profile for off-site or cellular connectivity.

Organizations can utilize Mobile Threat Defense (MTD) solutions integrated with their EMM to actively detect man-in-the-middle attacks, rogue access points, or insecure Wi-Fi connections, alerting administrators and automatically cutting off access to corporate data.

Meeting CSC-06-011 often requires collecting MDM profile exports, VPN enforcement screenshots, and exception documentation from multiple owners. Tools like WatchDog Security's Compliance Center can centralize these evidence items, map them to CSC-06-011, assign owners, and track review cadence so proof stays audit-ready.

If you cannot technically enforce secure connectivity on certain devices (often BYOD), you should record the scope, threat scenarios, compensating controls, and residual risk, then obtain documented approval. Tools like WatchDog Security's Risk Register can capture the exception, approvals, and treatment plan, while WatchDog Security's Policy Management can track the related policy language and required acknowledgements.