DISASTER RECOVERY/COMPLIANCE
BUSINESS INTELLIGENCE/APPLICATIONS
STORAGE ARCHITECTURE
NETWORKING
APPLICATION DEVELOPMENT
CLOUD
VIRTUALIZATION
Tech Guide
EDITORS NOTE
BYOD INCREASE
CALLS FOR ENTERPRISE MOBILE
DEVICE MANAGEMENT SYSTEMS
MITIGATING
BYOD RISKS WITH
MOBILE DEVICE
MANAGEMENT
SYSTEMS
MDM 2.0:
MEETING NEW
MOBILITY
MANAGEMENT
NEEDS
EDITORS NOTE
Editors Note
from and stored on mobile devices. IT security teams need to maintain security and ensure compliance while still allowing flexible user access. So what
is an IT security team to do?
In this technical guide, wireless expert, Lisa Phifer discusses how the
BYOD trend is leading IT teams to invest in and deploy mobile device man-
right choice for your organization, Phifer explains how to deploy and apply
MDM to reduce security risks brought on by BYOD. This includes enforcing compliance and testing the MDM system before fully deploying it in your
environment.
Lastly, Phifer explores the idea of MDM 2.0security and control beyond
smartphones and tablets. As mobile security in the enterprise continues to
expand, taking a look at the future can help IT security teams prepare for the
next wave of MDM. Phifer discusses letting go of the idea that MDM is a tool
for mobile device lockdown, but instead a means for providing customizable
security and control based on a users needs and preferences. n
Rachel Shuster
Associate Managing Editor, TechTargets Security Media Group
2 M O B I L E D EV I C E M A NAG E M E N T
MDM SYSTEMS
Editors Note
ness objectives. However, just 39% had deployed security controls needed
to address that risk; fewer than half of those could enforce mobile security
policies.
Unfortunately, this lax governance has already resulted in non-compli-
ance and data breaches. In Ponemons survey, 59% said employees disengaged fundamental measures such as passwords; another 12% were unsure.
It should, therefore, come as no surprise that half of those organizations had
experienced mobile data loss during the past year.
3 M O B I L E D EV I C E M A NAG E M E N T
MDM SYSTEMS
Editors Note
remotely wipe those that were lost. But these basic measures fell short of
governance needs. Certainly, they did not satisfy compliance mandates to
encrypt data at rest, nor could they deliver proof of continuous enforcement or meet access tracking and audit requirements. Although EAS support in newer devices continues to expand, this messaging-centric approach
Unlike BES, which uses a proprietary approach to manage only RIM devices
running the BlackBerry OS, multi-platform MDMs are third-party products that use open APIs to tap the native interfaces and capabilities offered
by many different devices. Today, it is common for MDMs to manage Apple
devices running iOS 4+, Samsung/Motorola/HTC/LG devices running Android 2.2+, and an array of handheld and embedded devices running WinCE
and Windows Mobile. Limited MDM support can also be found for Windows
4 M O B I L E D E V I C E M A N AG E M E N T
MDM SYSTEMS
Phone and WebOS devices. However, the degree of monitoring and control
delivered for each managed device varies by make/model and OS version.
For example, MDMs can usually enforce device-level access controls on
iOS and Android devices. On iOS, IT may require alphanumeric passcodes
with minimum length and special characters and limit passcode age, reuse,
idle time, or failed entry attempts. On Android 3+, IT can enforce all of this,
plus require upper/lowercase letters, digits, and symbols. Every MDM that
supports iOS and Android exhibits this difference because it reflects native
OS capabilities. However, the extent to which each MDM tries to hide such
Home
Editors Note
can use any MDM on the market to request a full-device wipe. Because all
Apple iPhones and iPads now support
full-device encryption, remote wipe
On iOS, IT may
require alphanumeric
passcodes with minimum length and
special characters and
limit passcode age,
reuse, idle time, or
failed entry attempts.
ever, wiping most Android phones simply resets them to factory default, leaving cleartext behind on removable
storage. MDMs cannot eliminate this native shortcomingdoing so falls to
device manufacturers. But MDMs can provide tools to centrally invoke remote wipe, confirm a requested wipe has been completed, report on all wiped
devices (including ownership and last known location), and clearly describe
the consequences for each wiped device.
This is where MDM depth comes into play. Some MDMs stick to managing hardware, software and policies. Other MDMs pile on value-added security measures. For example, some MDMs create their own authenticated,
encrypted data containers on managed devices. Any enterprise data stored
in those containers can be reliably wiped, even on phones and tablets that
do not support native full-device encryption. Moreover, this approach lets
5 M O B I L E D E V I C E M A N AG E M E N T
MDM SYSTEMS
Editors Note
agement and still others specialized in mobile security. Yet most of these
MDMs deliver foundational capabilities such as inventory and policy management that cause them to appear
superficially similar. Drilling beyond
functional comparison can also reveal
Enterprises flocking to
multiplatform MDM
technology to gain IT
visibility and control
over personally owned
devices may find it
hard to directly
compare products.
place, four out of five respondents identified policy compliance and data
security/access as top concerns. However, nearly the same percentage cited
ensuring IT support and resource availability, readying mobile applications
and setting employees up with multiple devices as major issues. In other
words, choosing an MDM based on its ability to meet security needs alone
may be shortsighted.
Instead, begin with lifecycle management. Even if the employer does not
own an employees mobile device, it owns the business data and applications
stored on that device. Start by establishing a process for tracking and managing those assets through each devices lifetime.
6 M O B I L E D E V I C E M A N AG E M E N T
MDM SYSTEMS
Doing so creates an essential foundation for not just security management, but expense tracking, user assistance, application and data deployment
and more. MDMs can enable lifecycle management by automating device enrollment, monitoring and de-enrollment, independent of ownership. Most
MDMs support IT-initiated enrollment; some also offer user-initiated enrollment. Either way, users follow links to a self-help enrollment portal where
they are prompted to enter credentials.
Behind the scenes, the MDM typically authenticates the user and compares user and device to IT-defined policies. If this user is permitted to enHome
Editors Note
roll this device, based on make/model, OS, ownership and group membership,
access may be authorized. MDMs may display an acceptable use policy and
issue a device certificate before continuing on to provision the device overthe-air, applying device settings, security policies and applications.
By automating enrollment, IT can deliver scalable support for many per-
sonally owned devices while placing well defined limits on acceptable use.
Devices that pass muster can be outfitted for safe productive business use,
leaving IT well-positioned to continually monitor activity and enforce security policy compliance. If an enrolled device should be lost or stolen or be-
come non-compliant, IT can use MDM to remotely find, lock or wipe it.
In addition, MDM may be used to invoke temporary stop-loss actions such
as removing settings that permit corporate email, VPN or application access.
Eventually, when the employee leaves the company or the device is replaced,
MDM can easily de-enroll it while wiping corporate assets. Many MDMs can
now differentiate between full-device and enterprise wipe, letting IT decommission an employees device without harming personal data. n
7 M O B I L E D E V I C E M A N AG E M E N T
DEPLOYING MDM
Editors Note
or Wi-Fi; and selectively disabling hardware and OS features such as integrated cameras. When properly configured, these native settings deliver most
(but not all) mobile security best practices for personal smartphones and
tablets.
bute. MDM-configured controls for Android are more varied because the devices themselves are more diverse. Notably, manufacturers such as Samsung
and Motorola have extended native APIs with proprietary attributes to give
IT greater visibility, control and flexibility.
Ultimately, mobile security management requires careful analysis of native
device and OS features needed to implement policies and confirmation that
any MDM under consideration can deliver visibility and control over those
features. Where native capabilities are insufficient, MDMs can also help by
deploying, configuring and enforcing third-party security measures.
For example, health care organizations often use MDM to centrally deploy
8 M O B I L E D EV I C E M A NAG E M E N T
DEPLOYING MDM
two-factor authentication, VPN clients and virtual desktop applications. Enterprises concerned about mobile malware can use MDM to push sandboxed
browsers and antimalware. To an MDM, these are simply applications that
must be installed and maintained. For this reason, organizations focused
on MDM to enable security should also evaluate each products application
management capabilities.
ENFORCING COMPLIANCE WITH MDM TECHNOLOGY
For small mobile workforces, IT could enroll devices one by one, manually
Home
Editors Note
installing required security and business applications, but that does not scale
nor does it enable continuous monitoring and enforcement. This is where
MDM technology can yield return on investment through logging, auditing
and compliance enforcement.
Mobile device management systems can capitalize on their over-the-air
APIsnotably Apple iPads and iPhones. Deeper than EAS insight on other
devices (e.g., Android, Windows Mobile) usually requires installing a deviceresident MDM agent.
Today, MDM vendors publish their agents at the Google Android Mar-
ket or the Apple AppStore where users can freely download them. Upon installation, agents connect to a corporate MDM server that may be installed
on-premises, hosted by a managed service provider, or operated as a cloud
service. Thereafter, MDM agents can serve as ITs eyes and ears, logging activities, reporting on events, and carrying out MDM requests that go beyond
native capabilities.
For example, it has become common for MDM agents to offer jailbreak or
root detection. Jailbreaking or rooting pose business risks because they render the underlying OS unreliable and raise concerns about device integrity.
Jailbroken Apple devices are vulnerable to mobile malware downloaded from
9 M O B I L E D E V I C E M A N AG E M E N T
DEPLOYING MDM
non-Apple websites. Rooted Android devices are even more vulnerable because applications can access normally privileged features.
By immediately detecting such activity, MDM agents can notify administrators and users. IT can even install enforcement policies that automatically
take actions such as disabling email or VPN access or removing enterprise
applications or even wiping an offending device. Although available actions
are limited by the mobile OS, they can still go a long way towards reducing
business risk and encouraging voluntary compliance.
Home
Editors Note
1 0 M O B I L E D E V I C E M A N AG E M E N T
4
MDM 2.0
Editors Note
quirements continue to evolve. To address these advanced needs, better integrated and more granular MDM tools are emerging. Lets look at some of
these innovations and how to put them to work.
MDM products initially focused on device inventory and provisioning but
have expanded to address a broader range of needs, from security controls to
expense management. However, BYOD is now driving interest in more granular tools to manage not only entire devices, but also the individual business
assets carried on them, specifically, applications and content.
Todays MDM products often include application management functions,
ranging from software inventory and whitelist/blacklist controls to application installation, configuration, update and disablement/removal. One innovation called app wrapping beefs up enterprise apps to meet security
requirements. Fiberlink Communications Corp.s MaaS360 Secure Produc-
tivity Suite can unpack IT-uploaded apps; insert canned security functions
(such as authentication or data leak prevention); and repack them for deployment onto managed devices. This can help employers deliver consistently
secured apps without relying only on highly variable native device and app
capabilities.
Another trend is decoupling securely managed data from full-blown device
management. AirWatchs Mobile Content Management product combines
basic device enrollment and compliance with data-centric functions, including a secure container in which to place enterprise data and tools that IT
can use to deploy, update and delete data. When a BYOD is enrolled, IT can
1 1 M O B I L E D EV I C E M A NAG E M E N T
4
MDM 2.0
Editors Note
MDM products are moving to offer more granular privacy options to address
both employee and legal/regulatory
concerns.
BlackBerry Enterprise Service 10
includes BlackBerry Balance, a manage-
browsing and other business applications. Employees have the freedom to install anything they want in their own Personal Space, without being shackled
by IT policies, or worrying about IT snooping on private activities.
Another way in which MDM products are moving to enable personal freedom in concert with IT control is geo-fencing. This technique combines a
users current location with IT-defined policies. Citrix Systems Inc.s ZenMobile MDM product can enforce proxy-based URL filters and disable device capabilities, such as cameras when used inside a secure facility, but
automatically lift those restrictions when that device moves outside the
fence. However, location-awareness can be a double-edged sword; theres
1 2 M O B I L E D E V I C E M A N AG E M E N T
4
MDM 2.0
As MDM products mature, they are becoming better integrated with existing enterprise infrastructure. Tighter integration can facilitate business mobility. For example, enterprise SharePoint resources or cloud data services
made available to mobile users via integration with managed secure containHome
Editors Note
ers. In addition, MDM integration with infrastructure can be helpful in delivering seamless, secure mobile user experience.
Enterprise identity management is a hot area of innovation for MDM
products. Most MDM products can be configured to interface with enterprise
directoriesmost often Active Directory or LDAbinding enrolled devices
to authorized user identities and, perhaps, their group memberships. SecureAuth Corp.s IdP is one product that takes identity management integration
further by using identity and access management (IAM) and single-sign-on
as a mobile gateway into the enterprise. For example, rather than granting ac-
cess to managed mobile devices, IdP grants mobile access to enrolled users,
based on authenticated identity and SSO tokens.
TIGHTER INTEGRATION
MDM products are also achieving tighter integration with enterprise WLAN
infrastructure, in effect using the network as a springboard for more automated device enrollment. Networks composed of wireless access points and
switches from Aerohive can be configured to detect and fingerprint new mobile devices, automatically redirecting them to a JAMF Software or AirWatch
MDM enrollment portal for zero-touch provisioning. Integrated approaches,
such as these, make it easier to expand mobility to more users while deterring enterprise access by unknown and potentially risky BYODs.
As these examples show, todays MDM products are no longer monolithic
systems focused on basic device management and little more. In fact, as
1 3 M O B I L E D E V I C E M A N AG E M E N T
4
MDM 2.0
MDM products grow more capable and sophisticated, many are being decoupled into a la carte capabilities, which allow IT to manage and secure mobility differently for each business unit or workgroup.
So dont be fooled by labels; dig deeper into the actual capabilities offered
by each MDM product, looking for innovations that can help your organization expand mobility to diverse users and manage their risks effectively. The
same MDM product may well support enterprise identity-based, full-device management for high-risk workers; lighter-weight but secure data-only
management for knowledge workers; and securely-wrapped app management
Home
Editors Note
1 4 M O B I L E D E V I C E M A N AG E M E N T
ABOUT
THE
AUTHOR
Home
Kathleen Richards
Features Editor
Editors Note
Kara Gattine
Senior Managing Editor
Rachel Shuster
Associate Managing Editorr
Linda Koury
Director of Online Design
Neva Maniscalco
Graphic Designer
Doug Olender
Vice President/Group Publisher
dolender@techtarget.com
TechTarget
275 Grove Street, Newton, MA 02466
www.techtarget.com
1 5 M O B I L E D E V I C E M A N AG E M E N T