Understand the basics of mobile device management products
Implementing MDM products has traditionally been the go-to answer for securing mobile devices, but with the role of mobile devices in the enterprise growing, admins need a more comprehensive security option.
Mobile devices have become heavily integrated into enterprise networks, and the trend shows no signs of slowing down. As mobile devices continue to become more powerful and push the boundaries of what enterprise mobility is, organizations need to better secure these systems not just with mobile device management (MDM) products, but also with all-encompassing enterprise mobility management products.
Throughout the years, MDM has evolved from focusing on the operating system and hardware of a device to a more data-centric model of enterprise mobility management (EMM). The EMM market has grown in popularity, with mobile devices relying heavily on apps. In fact, EMM vendors now also include MDM as part of a comprehensive fix. Every major vendor is now focusing on the ability to manage data, content and applications apart from the ability to manage security at a device level.
EMM is a vast topic, often including MDM as a part of its package. This article will, however, focus on mobile security explicitly from the MDM perspective.
By applying custom policies to smartphones and tablets through MDM and EMM, an administrator can, for example, regulate these devices to be used only in ways that an organization deems appropriate under its security policy. This can limit the risk of lost data, stop unapproved software installs, and prevent unauthorized access to mobile devices that access corporate data and networks.
Mobile security, however, isn't just for large enterprises. Admins should consider it throughout all verticals -- no matter the size of the company.
The mobile security characteristics of MDM
When evaluating mobile device management products and vendors, these are the basic features to consider to form a baseline mobile security policy:
- PIN enforcement. Also used as a password to the system, admins can manage PINs to lock individual devices.
- Full disk encryption -- or containerized encryption -- of data or disks. An MDM product should be able to enforce encryption on any device it manages.
- Remote wipe. In the case of loss or theft.
- Secures data at rest and in transit. Ability to stop certain data from being copied or sent while on the device.
- Jailbroken or rooted device detection. Jailbreaking poses a significant risk because it enables users to install unapproved software and make changes to the mobile device's operating system.
Apart from these features, IT admins need to verify that the selected mobile device management products support all the smartphone and tablet platforms -- iOS, Android, Windows Phone and others -- that their organizations intend to manage and secure. There are additional features -- such as GPS tracking, VPN integration, certificate management, Wi-Fi policies and discovery -- that are useful, but might not be the first use case requirements for most companies.
While MDM does quite a bit when it comes to securing devices, there are a few things it doesn't do. For starters, many think web filtering is a default feature when, in fact, most -- if not all -- MDM vendors rely on separate systems to perform that function.
Another function people assume mobile management products perform is data backup. Mobile security vendors are not backing up mobile device data. If data is lost, it's gone unless a separate backup system has been put into place.
Many products are utilizing cloud storage, and customers need to review if those products fulfill their needs with the vendors directly. This is usually done via third-party apps and configuration settings, but not natively through mobile device management products. So there may be additional mobile security software protection needed beyond MDM
Licensing options for mobile device management products
Currently, there are two main licensing methods for purchasing MDM products and mobile security software: one license per device or multiple devices per license.
The first, standard one-license-per-device scenario works well for smaller companies without many users, or for businesses that are able to tie one mobile device system to each user. If an organization is only applying MDM on smartphones, and there is no chance end users will use another mobile device on the network, this method is a wise choice.
Editor's note:
The article discusses MDM, which was a stand-alone area for device management at the time of this article's original publication, but is now regarded as a part of EMM. Although some vendors still sell MDM independently, most offer MDM as a part of a broader EMM strategy. This article's focus will be on MDM software and its features. Read a more recent buyer's guide on EMM here.
However, due to the need for flexibility and the increased use of mobile devices -- especially with bring your own device initiatives -- it may become necessary to have multiple mobile devices -- typically three -- protected under a single user license. This comes in handy when users tend to have multiple devices -- a smartphone, tablet and the like -- but the business doesn't want to go through the hassle and expense of paying for a separate license for each device.
While user-based licensing is generally more expensive than single device licensing upfront, it can save companies a substantial amount of money over time as employees adopt more mobile devices.
Mobile management deployment options
The most common way to deploy MDM products is via a virtual image, but almost all vendors will offer a hardware-based product if necessary, and many are increasingly providing these services over the cloud as their default option
The virtual images are normally delivered in either OVA (Open Virtual Appliance) or OVF (Open Virtualization Format) file formats, and are fully contained OSes that enable organizations to import the software into existing virtual environments -- Hyper-V, VMware and others. The virtual images enable quick installation of the MDM vendor's software, with resource management owned by the customer.
There are, of course, some MDM customers who either don't have a virtual environment installed or who want to have the mobile management system running on isolated hardware for performance issues or security concerns. In those instances, MDM vendors ship a dedicated MDM system to the customer with detailed instructions on how to configure the hardware.
Running an MDM system on premises can, however, be cumbersome for customers, so a number of larger vendors offer their MDM products in the cloud as software as a service. This deployment option is growing in popularity, especially among MDM customers with limited resources.
Rolling out MDM products
Once MDM products are installed on the network -- using either a virtual image, hardware or the cloud -- administrators need to come up with an implementation plan across all the device types. Doing a slow rollout -- or enrollment -- across the enterprise is a smart choice, as there's going to be a learning curve for end users and administrators supporting the product.
All MDM products have apps that are either in the Google Play Store or the Apple App Store for users to download. Once enrolled, users are sent an email or text with installation instructions. When they download the app and it authenticates -- typically via Lightweight Directory Access Protocol or a one-time passphrase -- the organization's MDM policy with the preconfigured options is installed on the mobile device.
At this point, the mobile device is under control of MDM, and it can be appropriately managed by the IT staff.
Who manages mobile security?
Depending on the company size, a number of different teams may assist with the management of mobile security. Many large enterprises have resources dedicated to mobile security, while an SMB might have it added to an IT administrator's growing responsibilities.
The scope of admins really depends on whether a dedicated resource is needed to manage mobile security as a whole. It's very common in the midmarket, for example, to see different groups managing particular sections of an MDM system. The information security team could be responsible for creating a mobile security policy, with tech support assisting with issues or operational incidents after the mobile device is deployed, and a telecom group could be assisting with onboarding and removing the mobile security policies that have been created.
The cost of MDM deployment
Like all IT security products, there are going to be hard and soft costs to consider when deploying mobile security via MDM.
The hard costs of implementing mobile security for the first time include the costs of the product itself, potential new hardware to run it, initial support expenditures, testing and -- potentially -- professional management services.
The soft costs of running MDM include the additional hours of support required for troubleshooting, installing and maintaining the system. In addition, depending on the install base, there may need to be additional training, or even additional employees, added to support the product.