We have been testing how logging and security works with mobile devices that have been jailbroken. I am unable to find any logs related to this in systlog to setup alerting mechanism.
Where are the following logs stored:
1. when attempting to enroll a jailbroken device
2. when device has and enrolled software token, then its jailbroken and token is disabled.
Kind regards
My apologies for the delay in replying to your post. I did get a response from product management on your question. They say, "CAS doesn't get notified in any way if someone tried to use the Authenticate app on a jailbroken phone. There most likely will be logs on the user's device, but definitely not in the cloud."
Regards,
Erica
Dear Erica,
Thank you for the response. We are using an on-prem RSA Authentication manager, built on an appliance. The version is 8.3 p4.
We see on the backend CT-KIP requests happening on the jailbroken device, and then immediately the created token is deleted. It would be most useful and logical to add a simple feature on the app side or the RSA backend side to pickup attempts when jailbroken, and report it.
This is a critical feature that should be there, we need to know which users who may have tried to jailbreak their devices, and these are unmanaged devices. If this log entry doesnt exist, please escalate accordingly to have this added. It is of utmost importance for our security to know this, and who is attempting in order to stop attacks before they happen.
Kind regards,
Yildirim
Yildirim Zaynal,
My apologies for the delay in replying to your post. I did get a response from product management on your question. They say, "CAS doesn't get notified in any way if someone tried to use the Authenticate app on a jailbroken phone. There most likely will be logs on the user's device, but definitely not in the cloud."
Regards,
Erica