Six questions to ask before buying enterprise MDM products
Mobile device management can be a crucial part of enterprise security. Expert Matt Pascucci presents the key questions to ask when investigating MDM products.
As the mobile market continues to explode, it has become increasingly important for organizations to deploy mobile device management (MDM) to more effectively manage smartphones and tablets, as well as to better protect those mobile devices from data loss and malicious use. Today, it's really not a matter of if mobile device security should be deployed -- it's more a matter of when and how quickly.
It's imperative that businesses take the time to make an educated decision regarding which MDM platforms are right for their mobile management and security goals. The majority of MDM products perform very similar functions, but it is how they do so that must be closely reviewed and compared.
Before starting to compare and contrast MDM products, organizations should establish a set of specific criteria to make these comparisons. This will help them determine which MDM products will perform up to the standards required for their network and mobile device profiles.
To establish these criteria, enterprises should ask themselves the questions outlined in this article. The answers will lead them to build a personalized feature checklist that can guide them in determining which mobile device management products best fulfill their particular smartphone/tablet deployment and usage characteristics.
MDM: Is BYOD a consideration?
Protecting company data on personal mobile devices can be challenging. Bring your own device (BYOD) is something that needs to be reviewed in detail before making a decision on which MDM vendor to use.
Will the organization allow end users to use personal smartphones and tablets for business? If so, will users have the potential to store company data on their mobile devices while they're being protected and managed by an MDM product?
When looking into MDM to use in a BYOD environment, organizations should verify that vendors have streamlined self-service options and that they provide organizations with the ability to protect company data separately from personal information. A self-service model enables businesses to quickly integrate users into the MDM product for a quicker turnaround to protect mobile devices with the appropriate security policies. Admins can do this via policy enforcement -- by pushing software changes to the phone with company security options integrated into it -- or by using containerization, which enables organizations to secure all company data -- and user access to that data -- from within a secured app on the mobile device.
Organizations should carefully review these capabilities -- self-service options and data protection -- upfront with each MDM product under consideration for a BYOD environment.
MDM: On premises or in the cloud?
Many IT security applications are going the software as a service (SaaS) route these days, and MDM is no different. Before making a decision on whether to deploy on-premises or cloud-based MDM, it is important to understand the difference between supporting and managing the two mobile management and security methods.
Will IT have the technical know-how, time and manpower to manage an MDM system on site -- patching, building the infrastructure, managing the uptime of the environment and so on? Or will it benefit from eliminating these daily support factors by turning to an MDM product run in the cloud? Deploying a cloud-based MDM system often means greater flexibility for companies -- some products even enable them to set up test environments to train with and to verify settings before pushing those to production and out into the cloud.
These cloud-based MDM products are SaaS implementations that enable administrators to stop managing physical appliances and making firewall changes to allow access back into their networks. They are hosted on vendor servers, and often offer organizations the flexibility to have a separate install of the MDM product available for administrators to train on. Businesses could think of this as a quality assurance version of the MDM system that administrators can play with before making changes to the production version that's hosting live user accounts.
With cloud-based MDM, organizations need to weigh the risks of putting company data into an environment they don't have complete control over. For some enterprises, these risks -- of having data hosted outside their network, not being able to control the uptime of applications, reliance on a third party for data security and so on -- and the desire for control do not outweigh the benefits -- requiring fewer resources to manage an MDM, no longer patching or maintaining MDM hardware and software, the ability to have someone else secure company data, among others -- of managing and securing mobile devices from the cloud.
Those considering cloud-based MDM should be sure to perform due diligence on the cloud provider to gauge how it secures customer data before moving forward. It is ultimately an organization's data that will be stored in the cloud, so it should treat the security of this data the same as it would if it was stored within its physical network. In addition, verify that segmentation, vulnerability management and privacy are followed by the cloud provider to corporate standards.
A good place to start is by utilizing the Consensus Assessments Initiative Questionnaire (CAIQ) from the Cloud Security Alliance to dig deeper into each vendor's cloud security profile. The CAIQ is a survey designed to help cloud consumers and auditors evaluate the security capabilities of cloud providers.
What type of apps can integrate into MDM?
Businesses are employing apps on mobile devices to enable end users to work from anywhere nowadays. This ability to let users run CRM apps, custom apps built internally, or just about any app organizations would like employees to use, is an important consideration when selecting an MDM product.
The MDM products being considered by an enterprise should enable IT to manage, integrate and push policies to all the mobile apps the company supports. For example, if a business is using a CRM application that all of its sales team needs to access, it should be able to whitelist that app and push it down to the users' mobile devices. This offers more control over the device and version of the application being used by employees.
Certain MDM vendors, meanwhile, partner with app vendors to enable greater flexibility and security of their apps when used with their particular MDM product. These apps are tailored to MDM, or wrapped, to limit risk, or to allow only certain versions of the app to be installed.
There are also certain apps that organizations wouldn't want installed. The MDM of choice should be able to report on all the apps across a company's mobile device base to create an inventory of what's installed and if there are unapproved apps loaded that are against written policy. There should also be the option to lock down what can be installed on mobile devices and give administrators the option to perform whitelisting on an MDM that can limit app installs to only approved software.
The mobile app is the reason smartphones and tablets have evolved so rapidly into essential tools for businesses over the last few years. The integration of business apps into MDM assists with provisioning these apps/business tools and enables faster and -- even more importantly -- more secure deployment and support.
Will MDM agents be container-less or containerized?
It is important to know whether a mobile management and security product that is under consideration is based on the ideology of containerization or if it uses the container-less philosophy.
Containerization installs all MDM data within a dedicated agent container on mobile devices. This means any company-owned data is stored securely within an app without fear of leakage or theft. Nothing is able to enter the container -- or be removed from it -- while it is on the mobile device.
Container-less, on the other hand, offers a more native experience for end users because they don't have to adhere to using the container app to perform all of their job activities -- i.e., email and file storage. These MDM products allow employees to use apps already installed on their mobile devices, for example, whereas those based on containerization only let them use apps that are within a container.
Editor's note:
This article discusses MDM, which was a stand-alone area for device management at the time of this article's original publication, but is now regarded as a part of EMM. Although some vendors still sell MDM independently, most offer MDM as a part of a broader EMM strategy. This article's focus is on MDM software and its features. For more information on EMM, read this more recent buyer's guide on the topic.
There are pros and cons to both sides, so before looking at MDM vendors, an organization should understand which school of thought, containerization or container-less, it subscribes to first.
With containerization, since all company data and applications are held in an app that's walled off from the rest of the mobile system, and that can be managed at the drop of a hat, IT can be confident that nothing related to a company is left lingering once it removes an app from a mobile device. By contrast, container-less MDM's maintain the native feel of mobile devices, which is a benefit to end users, but also makes it more difficult for security teams to manage -- as all company data and apps aren't isolated, or walled off, from personal data and apps, as with containerized MDM.
Organizations that prefer to offer end users a more seamless mobile device experience should consider container-less MDM first. Just be certain that the MDM products under consideration provide IT with the ability to confidently monitor and remove company data and applications when needed. If an MDM product can't enable admins to easily wipe all corporate data from a system, there's a possibility that sensitive information will make its way out of employee -- and thereby company -- hands. This needs to be seriously considered when using container-less MDM.
What MDM profile options are available?
Besides the functionality questions described above, one of the most important areas to focus on when reviewing potential MDM candidates is profile options. It is here that companies will review security capabilities to determine if MDM products have all the features required for securing not only company data, but also the mobile device itself.
An organization's policy of what security features are required or can be enabled should be written out before entering into conversations with MDM vendors. Knowing how locked down an enterprise wants mobile devices to be will assist it in asking the proper questions when procuring a mobile management and security product.
How are MDM products priced?
MDM products are priced out in a few different ways today. Be sure to review all your budgeting options before making a purchase.
For instance, you should first determine if the MDM system is going to be based in the cloud or on premises, as these types of MDM deployments will affect the organization's IT budget in different ways. Cloud-based MDM will be an operational expenditure (Opex), meaning that this would come from the budget that allows for licensing and operation improvements to the business, while an on-premises MDM deployment will mostly be a capital expenditure, meaning it will be seen as a fixed asset -- or something that will be used as an improvement to the business.
The budget options also contribute to deciding what type of deployment a company can afford. For example, even though going for cloud MDM might be cheaper, the Opex budget may not be there to support that type of deployment. As a result, this could force an organization's hand toward an on-premises product.
Also, in terms of user licensing, there are pricing models where vendors license MDM systems either by device or by user. Depending on the organization, it may be cheaper to go with a user-based model, where the organization pays for one user account and puts it on as many devices as needed, or the device-based model, where a vendor charges based on every system on which the software is installed.
There are also times organizations pay via a hybrid model -- using user and device licensing -- to help them get the most for their money. For example, it would be more straightforward to purchase a device-licensed MDM product if users will be issued devices by a company that controls what the employees use. This is compared to the user option, where organizations let end users install a license on multiple devices, not just the one that IT issued to them.
There's also a hybrid licensing method that can be used to allow organizations to use device licensing for those using one device issued by the company, and user-based licensing for those -- like executives -- that want multiple devices at their disposal.
There are many factors to consider when purchasing an MDM product for securing and managing mobile devices. The questions outlined in this article are designed to get readers thinking about their organization's individual MDM needs before starting to evaluate specific MDM vendors.
The biggest decision you need to make is the type of MDM you want to install. Will it be a containerized system or a container-less MDM? After deciding which way to go regarding this approach, administrators should decide what security options they want in an MDM product.
Once this is completed, you should review where the MDM will be installed and managed. Will it be in the cloud, or will it be brought in house to be managed? Does the organization have the resources to manage the system in house, or does it trust the application being installed outside its network -- in the case of cloud-based MDM?
These decisions will vary slightly by the size of the company. Many times, a smaller company will choose the cloud with a single device license because it's easier to manage, whereas a medium to large company may want an MDM that's container-based with user licensing that is installed in house because it's worried about the loss of data across multiple user devices.