Three enterprise scenarios for MDM products
Expert Matt Pascucci outlines three enterprise uses cases for mobile device management products to see how they can protect users, devices and corporate data.
Mobile devices have become mandatory in today's business world of fast-moving, data-driven end users. While smartphones and tablets provide employees with the flexibility to perform their jobs without borders, they engender major concerns regarding data security and privacy risks for organizations.
This is where mobile device management (MDM) products come into the picture. MDM products enable people to perform their jobs efficiently and effectively while assisting IT to protect company data and secure mobile devices from malicious access.
There are three major scenarios to consider when you've decided to implement MDM products: the protection of data on mobile devices, defending mobile systems themselves, and securing sessions and data in transit between smartphones/tablets and the company network.
MDM product scenario #1: Data protection
Securing data on mobile devices is the most crucial reason to deploy MDM products. This is because mobile devices are, in reality, small computers with powerful processors and large amounts of storage and that -- when used within an enterprise -- hold and have access to the same data as a standard PC or laptop.
Editor's note:
The article discusses MDM, which was a stand-alone for device management at the time of this article's original publication, but is now regarded as a part of EMM. Although some vendors still sell MDM independently, most offer MDM as a part of a broader EMM strategy. This article's focus is on MDM software and its features. For a more recent buyer's guide discussing EMM, click here.
With that in mind, organizations must extend enterprise-grade data protection to these devices without limiting their important and elastic roles within the company.
MDM vendors employ two methods, or ideologies, to protect data on mobile devices: containerization and non-containerization.
Taking a containerized approach to MDM
A mobile security product that uses the containerized ideology will dedicate a small partition of its storage to the MDM application on the mobile device, limiting all corporate data, apps and communication to this containerized section. With a containerized approach, the data from a smartphone or tablet can't be inserted into the MDM application -- and vice versa -- and these types of mobile device security platforms normally add an extra layer of protection by requiring users to log in to MDM separately from the device itself.
The pros of implementing containerized MDM is that if the mobile device is ever lost or stolen, or if someone leaves the organization, a wipe of the MDM app on the smartphone or tablet will remove all instances of corporate data. That way, admins will never have to worry about missing something important.
The cons to containerized MDM is that end users often can't use the apps that they're accustomed to, and organizations often don't have the flexibility to leverage custom tools or programs. This is because MDM vendors need to partner with app creators to allow software to enter the encrypted partition. And, while many MDM vendors do work with software developers, not every app is natively compatible.
The non-containerized approach to MDM products
The non-containerized approach to mobile security enables users to access their mobile devices with a native experience, and it offers the ability to use traditional apps. So the non-containerized method to mobile security, unlike the containerized approach, provides users with the flexibility to run the apps they're used to, and it enables easier access to data from third-party software than the containerized-approach. This goes for both business and personal data. It depends on the policy that's created by the MDM administrator, but the configurations can also lock company apps and personal apps.
This approach, while gaining in popularity over containerization due to its flexibility for the end user, needs to be reviewed by administrators beforehand in great detail.
There are options for using data loss preventions tools on mobile systems that aren't containerized. These inspect and protect the data before it leaves the mobile device. Many MDM tools are creating partnerships with software vendors for mobile app integration and management through these products. This app wrapping enables secure and flexible access to data with the help of granular policies.
The protection of data on mobile devices is paramount. It factors heavily in the remaining two scenarios outlined below, and should be at the forefront of the decision-making process when companies look to deploy MDM products.
MDM product scenario #2: Device protection
Now that the data has been secured, let's review ways in which MDM can assist with protecting the mobile devices themselves. This is an important topic because if a smartphone or tablet isn't secure, it can lead to the infection of the network and compromised data.
Jailbreaking/rooting detection
Most MDM systems can alert admins if a user attempts to jailbreak/root a smartphone or tablet. A rooted or jailbroken mobile device enables a user to perform functions -- admin access, downloading and installing apps from outside the app store, malware, among others -- that are not intended by the manufacturer or approved by IT and the organization.
Sure, these aren't all necessarily that bad, but jailbreaking opens up risks to the corporate network that are best avoided by negating the ability for users to root their smartphones and tablets in the place.
PIN and passcode enforcement
The line of defense that every mobile device requires is password protection. Having MDM push down a policy to enforce a PIN or passcode to smartphones and tablets -- with a timeout period -- is an easy way to secure systems from unintended access by intruders that may have stolen or found a device.
Although seemingly very simple and not very significant, enforcing password security through MDM should be mandatory.
Remote wipe
The option to remote wipe a smartphone or tablet is a lifesaver when it comes to devices that are no longer in the possession of their rightful owner. This assures that anything on a smartphone or tablet is no longer accessible, as the value of data on a smartphone or tablet is worth a whole lot more than the mobile hardware itself.
Operating system changes and apps
With a simple MDM policy, an administrator can restrict what apps users can install and can limit the OS changes they can perform on a smartphone or tablet -- for example, by only allowing the installation of certain apps using a whitelist and making sure all cameras are turned off on supported smartphones. This reassures the organization that rogue apps that could infect its mobile devices, which can lead to data loss or worse, won't be installed.
It also keeps mobile systems in a baseline OS configuration for the network, making them easier to manage. This level of app and system control is a must-have when it comes to distributing mobile devices to end users.
Mobile device encryption
Companies should encrypt all mobile devices that contain important company data. An MDM product can assist in this by forcing encryption on all supported smartphones and tablets -- similar to the way full disk encryptionThree enterprise scenarios for MDM productsdoes for laptops and desktops. Encryption protects the mobile device itself and the data that lives on it. It is important to enable device encryption on all mobile devices, even for enterprises that use a containerized MDM product.
MDM product scenario #3: Protecting mobile connections
Now that MDM has protected mobile data and the mobile devices themselves, it's time to focus on how to make sure these smartphones and tablets communicate safely. This last scenario centers on how MDM products can help secure the connections and sessions established between mobile devices and company resources.
With MDM, organizations can mitigate the risk of insecure communication by blocking third-party configurations from removing certain functions from the mobile device and enabling certain features within a mobile management product. For the former, one to review is the ability to enable VPN connections on mobile devices so they communicate back to the organization securely.
In addition, there are many times when users need to access data or services on the internal network. So, instead of letting them access these resources insecurely, many MDM products enable admins to require a VPN connection to the corporate site for secure data access.
Another method to secure company network access is to restrict insecure access by limiting the service set identifiers that wireless devices can use. While this can become somewhat restrictive, admins can create a policy to always have mobile systems in range of the corporate network use secured wireless connections as a priority, instead of an insecure wireless network that might also be available and accessible.
Having the ability to use internal certificates pushed to mobile devices from company servers for an extra layer of authentication is also recommended.
There are MDM options available that limit access to certain websites. Called secure web browsing, this technology is normally connected back to the corporate network, and it enables the implementation of an additional policy to keep users' browsing experiences secure via an organization's normal web proxy or web filtering service. Since mobile devices are extensions of the corporate network, having the same web policy pushed to them as on-site computers enables consistent security and user experiences when it comes to web access.
Lastly, certain MDM systems include a feature called geofencing that only allows mobile devices to work within a certain geographical location. This may be too restrictive for users that travel with their smartphones and tablets, which -- granted -- is most users. But for those mobile devices that shouldn't leave a certain location, say mobile point-of-sale systems, after the handheld goes beyond a predetermined , it'll be deemed unusable by company policy.
Mobile devices are de facto business tools for almost everyone working today. Due to this wave of popularity, organizations need to secure the data, systems and connections mobile devices use, as well as the smartphones and tablets themselves.