Compare capabilities of Office 365 MDM vs. Intune How are UEM, EMM and MDM different from one another?
X
Tip

How to successfully implement MDM for BYOD

Implementing MDM in BYOD environments isn't easy. IT should communicate with end users to set expectations about what personal information the MDM platform can and cannot track.

Due to advancements in OS features and mobile device management platforms, it's possible to implement a BYOD policy that meets a user's productivity and privacy needs without compromising on data security -- but it requires considerable planning.

It becomes even more difficult when organizations introduce unified endpoint management (UEM) and mobile device management (MDM) for BYOD. However, it's still possible to balance the needs of the company with the needs of the user.

To deploy a successful BYOD initiative, IT admins must properly devise the MDM policies that they apply to devices and ensure that employees clearly understand the implications of these policies. Some organizations, for example, offer a stipend or other method of reimbursing the costs of device use, while others only permit app access and do not pay users' expenses.

Set clear expectations on end-user FAQs

Whichever BYOD model an organization adopts, it must set expectations for the users in advance so they can operate according to the agreed-upon system. For example, if a user submits a bill for expenses and discovers they're not entitled to claim it -- despite believing they would be -- it can cause friction between the user and the organization.

End users are often happy to comply with policies once they know what they're signing up for. The policy will fail if administrators say they cannot see certain features and break that trust. To successfully implement MDM for BYOD, an organization should alleviate common user concerns, such as the following:

Can MDM track browser history? No, but MDM can be used to deploy over-the-top services that can redirect, control and monitor traffic, both SIM-based and over Wi-Fi. Organizations that do this should make users aware of it and consider a separate policy for BYOD users.

Combine UEM with BYOD.
Successfully combining UEM and BYOD requires trust and transparency between the organization and the user.

Can MDM read text messages? Not on iOS, as Apple has not provided any hooks for MDM to do this, even with supervised devices. It is possible on some versions of Android, but IT will rarely deploy native controls for reading text messages. Text messages can be routed to corporate email archives. Most messaging apps deploy end-to-end encryption on messages, making the contents inaccessible to IT departments.

Highly regulated organizations can deploy third-party products to record business information, but this should be clearly communicated to users and usually leaves an unscreened area for personal communications. Companies that are required to record such communications typically don't allow BYOD for regulated users, as the balance between user privacy and compliance is difficult to implement.

End users are often happy to comply with policies once they know in advance what they are signing up for.

Can MDM track location? Yes, and it can prevent the user from disabling location services once enrolled in MDM. Most MDM platforms, including VMware Workspace One UEM, IBM MaaS360, MobileIron and others, have privacy settings to prevent location tracking of BYOD devices. IT departments should always be clear on whether this is being tracked for all groups, specific users or not enabled.

Can MDM platforms see which applications are installed on a user's phone? Typically, the MDM platform takes application inventory once users enroll their devices. Using privacy settings, IT departments can opt not to see this or to only see line-of-business apps deployed from an in-house app store. Restricting visibility is a good idea, as personal apps can reveal information on health, religion or sexuality that IT departments should avoid wherever possible.

What happens with MDM for BYOD if an employee leaves the company? When an employee leaves the company, their device is typically retired from the corporate MDM or enterprise mobility management. All company apps and data are purged from the device, while personal information remains intact. A good BYOD policy will strictly segregate business information from personal to protect the organization, but when it comes to offboarding, this also benefits the user. Retiring devices is often referred to as a selective wipe, and during this process, IT should also revoke any credentials the user had to access corporate apps. MDM platforms such as VMware Workspace One UEM and MobileIron offer protection against factory resets for devices flagged as personally owned so that they won't be wiped accidentally.

How to balance security and privacy

Organizations can implement BYOD policies using different approaches. Organizations should always keep business information from leaking out to personal cloud storage or anywhere that is beyond the reach of IT departments. Some MDM platforms, such as MobileIron, offer a wrapping service for apps, while others, such as VMware Workspace One, deploy separate workspaces. Android Enterprise offers a work profile that IT can manage while the rest of the device remains for personal use.

Even if an organization allows personal devices to access corporate resources, it should establish certain baselines to maintain security. Organizations should support a minimum OS version to ensure that devices receive recent patches and address known vulnerabilities. For Android, it is worth restricting handset types to reputable manufacturers; Google provides a list of Android Enterprise Recommended devices. To make the list, manufacturers must commit to service-level agreements to release patches and ensure that the devices have access to several OS upgrades.

The latest versions of iOS and Android have included advancements in user privacy while allowing companies to determine that the posture of all devices is secure. Apple introduced user enrollment with iOS 13, which keeps personal details such as device serial number and IMEI private but allows IT to deploy and manage apps within a dedicated device partition. And since Android 10, organizations can enforce a minimum strength unlock code, block unknown sources from installing apps and determine whether users can sync personal calendars with work calendars.

Next Steps

How long can smartphones last in the enterprise?

Dig Deeper on Unified endpoint management