How does Mobile Device Manager Plus detect rooted devices in the network?

Description

Rooting devices provides the users additional control over the devices, but tends to pose a security risk for organizations when these rooted devices are used to access corporate data. Rooted devices are more prone to malware attack since the security of these devices is compromised. Also, since these devices have access to corporate data it also increases the risk of loss of corporate data by breaches.

Thus to ensure security of corporate data, it is recommended that such rooted devices must not be used in organizations. Mobile Device Manager Plus allows organizations to detect rooted devices in the network and also remove these devices once they are detected. These rooted devices then cannot be enrolled into Mobile Device Manager Plus and thus lose access to corporate data. 

This document explains how Mobile Device Manager Plus identifies these rooted devices and what can be done when such rooted devices are detected.

Conditions

A device is marked as rooted if any of the following conditions are met

  1. If an app that has capabilities to provide root access are present in the device.

    This is the simplest way to check if a device is rooted. Some apps like SuperSu have the capabilities to provide root access of the device to users, thus rooting the device. Mobile Device Manager Plus scans the device for such apps and if it is present the device is marked as rooted.

  2. If su or sudo commands can be run from the terminal

    This is the most accurate rooted device detection method. If either su or sudo commands can be run from the terminal, it means that the device is rooted. Many of the malware created for mobile devices now also have rooting capabilities and using this method we can also detect if a malware has gained the root access of the device.

  3. If the build tag is signed by test-key

    This condition can be true in 2 cases- if the user has rooted the device or if the OEM has signed the OS build using a test-key instead of a release-key. Though the second case could mean that the device is not rooted by the user or a malware, it is inherently a security risk for organization to use such devices and that is why these devices are also marked as rooted.

Once the devices are marked as rooted, the admin can enable a setting by navigating to Enrollment -> ME MDM app (under Android) and enabling the setting on detecting rooted device to remove them from management.