SECURITY

DISASTER RECOVERY/COMPLIANCE

BUSINESS INTELLIGENCE/APPLICATIONS

DATA CENTER MANAGEMENT

STORAGE ARCHITECTURE

NETWORKING

APPLICATION DEVELOPMENT

CLOUD

VIRTUALIZATION

Tech Guide

Mobile Device Management

The increase of BYOD in the enterprise has forced IT security teams to find new
ways to secure corporate and personal data while allowing flexible user access.
In this Tech Guide, learn vital information regarding the booming BYOD trend in
the enterprise and how IT teams are looking to MDM solutions to control and
protect corporate data on mobile devices. BY LISA PHIFER

EDITORS NOTE

BYOD INCREASE
CALLS FOR ENTERPRISE MOBILE
DEVICE MANAGEMENT SYSTEMS

MITIGATING
BYOD RISKS WITH
MOBILE DEVICE
MANAGEMENT
SYSTEMS

MDM 2.0:
MEETING NEW
MOBILITY
MANAGEMENT
NEEDS

EDITORS NOTE

MDM Systems Take Hold

as BYOD Booms
BYOD in the enterprise is booming, and IT security teams are grappling to

control, monitor and protect essential corporate information transmitted

Home

Editors Note

from and stored on mobile devices. IT security teams need to maintain security and ensure compliance while still allowing flexible user access. So what
is an IT security team to do?
In this technical guide, wireless expert, Lisa Phifer discusses how the
BYOD trend is leading IT teams to invest in and deploy mobile device man-

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

agement (MDM) solutions. Youll learn how to determine whether an MDM

system is right for your organization, if your existing systems can provide the
necessary security controls, or if additional device management features may
be required. Once youve determined that deploying an MDM system is the

Mitigating BYOD Risks

With Mobile Device
Management
Systems

right choice for your organization, Phifer explains how to deploy and apply
MDM to reduce security risks brought on by BYOD. This includes enforcing compliance and testing the MDM system before fully deploying it in your
environment.

Mdm 2.0: Meeting

New Mobility
Management Needs

Lastly, Phifer explores the idea of MDM 2.0security and control beyond
smartphones and tablets. As mobile security in the enterprise continues to
expand, taking a look at the future can help IT security teams prepare for the
next wave of MDM. Phifer discusses letting go of the idea that MDM is a tool
for mobile device lockdown, but instead a means for providing customizable
security and control based on a users needs and preferences. n
Rachel Shuster
Associate Managing Editor, TechTargets Security Media Group

2 M O B I L E D EV I C E M A NAG E M E N T

MDM SYSTEMS

BYOD Increase Calls for Enterprise

Mobile Device Management Systems
Multi-platform mobile device management systems are gaining a foot-

hold in enterprises anxious to meet the needs of todays expanding mobile

Home

Editors Note

workforce. While no silver bullet, MDM technology can give IT centralized,

scalable visibility and control over the unruly bring-your-own device (BYOD)
trend.
In a recent study by Ponemon Institute, most organizations agreed that
mobile devices created business risk but were important to achieving busi-

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

ness objectives. However, just 39% had deployed security controls needed
to address that risk; fewer than half of those could enforce mobile security
policies.
Unfortunately, this lax governance has already resulted in non-compli-

Mitigating BYOD Risks

With Mobile Device
Management
Systems

ance and data breaches. In Ponemons survey, 59% said employees disengaged fundamental measures such as passwords; another 12% were unsure.
It should, therefore, come as no surprise that half of those organizations had
experienced mobile data loss during the past year.

Mdm 2.0: Meeting

New Mobility
Management Needs

Given the rash of employee-owned smartphones and tablets now finding

their way into the workplace, IT simply must find a way to manage mobile
application and system access while keeping corporate data secure. Fortunately, a new crop of multi-platform MDM products and services stand ready
to help IT achieve these objectives and mitigate BYOD risks. However, organizations need to understand the benefits, nuances and limitations of this
emerging technology before taking the plunge.
THE RISE OF MULTI-PLATFORM MDM

Mobile device management systems are not a recent phenomenon.

3 M O B I L E D EV I C E M A NAG E M E N T

MDM SYSTEMS

Enterprises have long managed company-issued BlackBerrys and Windows

Mobiles via BlackBerry Enterprise Server (BES) and Microsoft Exchange Active Sync (EAS). But yesterdays narrowly focused MDMs could not handle
the consumer smartphones and tablets that flooded the workplace following Apples iPhone release in 2007. As handset procurement rapidly shifted
from employer to employee, driven by budget cuts and workforce demands,
IT groups were left scrambling for more extensible tools.
Initially, IT had little choice but to reduce iPhone risk by applying EAS
policies to prevent corporate email access by non-passcoded phones and
Home

Editors Note

remotely wipe those that were lost. But these basic measures fell short of
governance needs. Certainly, they did not satisfy compliance mandates to
encrypt data at rest, nor could they deliver proof of continuous enforcement or meet access tracking and audit requirements. Although EAS support in newer devices continues to expand, this messaging-centric approach

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

is plagued by inconsistency and cannot meet broader mobility management

requirements.
By early 2010, iPhones had been joined by iPads and Androids, fueling
growth of the multi-platform MDM market. Niche multi-platform MDMs

Mitigating BYOD Risks

With Mobile Device
Management
Systems

previously used by cellular companies and highly mobile verticals such as

retail quickly expanded to embrace iOS 4, followed by Android 2.2. Today,
multi-platform MDMs are viable alternatives to BES or EAS, giving enterprises a single pane of glass through which to monitor and manage an in-

Mdm 2.0: Meeting

New Mobility
Management Needs

creasingly diverse array of corporate and bring-your-own phones and tablets.

MDM BREADTH AND DEPTH

Unlike BES, which uses a proprietary approach to manage only RIM devices
running the BlackBerry OS, multi-platform MDMs are third-party products that use open APIs to tap the native interfaces and capabilities offered
by many different devices. Today, it is common for MDMs to manage Apple
devices running iOS 4+, Samsung/Motorola/HTC/LG devices running Android 2.2+, and an array of handheld and embedded devices running WinCE
and Windows Mobile. Limited MDM support can also be found for Windows

4 M O B I L E D E V I C E M A N AG E M E N T

MDM SYSTEMS

Phone and WebOS devices. However, the degree of monitoring and control
delivered for each managed device varies by make/model and OS version.
For example, MDMs can usually enforce device-level access controls on
iOS and Android devices. On iOS, IT may require alphanumeric passcodes
with minimum length and special characters and limit passcode age, reuse,
idle time, or failed entry attempts. On Android 3+, IT can enforce all of this,
plus require upper/lowercase letters, digits, and symbols. Every MDM that
supports iOS and Android exhibits this difference because it reflects native
OS capabilities. However, the extent to which each MDM tries to hide such
Home

Editors Note

differences under unified consoles with

a consistent look and feel varies widely.
In other cases, mobile device management systems can do little to mask
underlying diversity. For example, IT

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

can use any MDM on the market to request a full-device wipe. Because all
Apple iPhones and iPads now support
full-device encryption, remote wipe

Mitigating BYOD Risks

With Mobile Device
Management
Systems

easily renders data inaccessible. How-

On iOS, IT may
require alphanumeric
passcodes with minimum length and
special characters and
limit passcode age,
reuse, idle time, or
failed entry attempts.

ever, wiping most Android phones simply resets them to factory default, leaving cleartext behind on removable
storage. MDMs cannot eliminate this native shortcomingdoing so falls to

Mdm 2.0: Meeting

New Mobility
Management Needs

device manufacturers. But MDMs can provide tools to centrally invoke remote wipe, confirm a requested wipe has been completed, report on all wiped
devices (including ownership and last known location), and clearly describe
the consequences for each wiped device.
This is where MDM depth comes into play. Some MDMs stick to managing hardware, software and policies. Other MDMs pile on value-added security measures. For example, some MDMs create their own authenticated,
encrypted data containers on managed devices. Any enterprise data stored
in those containers can be reliably wiped, even on phones and tablets that
do not support native full-device encryption. Moreover, this approach lets

5 M O B I L E D E V I C E M A N AG E M E N T

MDM SYSTEMS

IT wipe data consistently across all MDM-supported platforms. However,

MDMs that include these value-adds tend to have more device-specific dependencies and limitations than MDMs that focus on management.
LIFECYCLE MANAGEMENT

Enterprises flocking to multi-platform MDM technology to gain IT visibility

and control over personally owned devices may find it hard to directly compare products. Heritage plays a role: Some MDMs historically focused on
mobile expense management, others started with mobile application manHome

Editors Note

agement and still others specialized in mobile security. Yet most of these
MDMs deliver foundational capabilities such as inventory and policy management that cause them to appear
superficially similar. Drilling beyond
functional comparison can also reveal

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

significant differences in automation,

usability, scalability and integration.
One way to reduce confusion is to
preface MDM product selection with

Mitigating BYOD Risks

With Mobile Device
Management
Systems

an inventory of business mobility needs

and use cases. When IDC surveyed
businesses about their ability to sup-

Enterprises flocking to
multiplatform MDM
technology to gain IT
visibility and control
over personally owned
devices may find it
hard to directly
compare products.

port consumer devices in the workMdm 2.0: Meeting

New Mobility
Management Needs

place, four out of five respondents identified policy compliance and data
security/access as top concerns. However, nearly the same percentage cited
ensuring IT support and resource availability, readying mobile applications
and setting employees up with multiple devices as major issues. In other
words, choosing an MDM based on its ability to meet security needs alone
may be shortsighted.
Instead, begin with lifecycle management. Even if the employer does not
own an employees mobile device, it owns the business data and applications
stored on that device. Start by establishing a process for tracking and managing those assets through each devices lifetime.

6 M O B I L E D E V I C E M A N AG E M E N T

MDM SYSTEMS

Doing so creates an essential foundation for not just security management, but expense tracking, user assistance, application and data deployment
and more. MDMs can enable lifecycle management by automating device enrollment, monitoring and de-enrollment, independent of ownership. Most
MDMs support IT-initiated enrollment; some also offer user-initiated enrollment. Either way, users follow links to a self-help enrollment portal where
they are prompted to enter credentials.
Behind the scenes, the MDM typically authenticates the user and compares user and device to IT-defined policies. If this user is permitted to enHome

Editors Note

roll this device, based on make/model, OS, ownership and group membership,
access may be authorized. MDMs may display an acceptable use policy and
issue a device certificate before continuing on to provision the device overthe-air, applying device settings, security policies and applications.
By automating enrollment, IT can deliver scalable support for many per-

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

sonally owned devices while placing well defined limits on acceptable use.
Devices that pass muster can be outfitted for safe productive business use,
leaving IT well-positioned to continually monitor activity and enforce security policy compliance. If an enrolled device should be lost or stolen or be-

Mitigating BYOD Risks

With Mobile Device
Management
Systems

come non-compliant, IT can use MDM to remotely find, lock or wipe it.
In addition, MDM may be used to invoke temporary stop-loss actions such
as removing settings that permit corporate email, VPN or application access.
Eventually, when the employee leaves the company or the device is replaced,

Mdm 2.0: Meeting

New Mobility
Management Needs

MDM can easily de-enroll it while wiping corporate assets. Many MDMs can
now differentiate between full-device and enterprise wipe, letting IT decommission an employees device without harming personal data. n

7 M O B I L E D E V I C E M A N AG E M E N T

DEPLOYING MDM

Mitigating BYOD Risks With Mobile

Device Management Systems
Once enterprises understand the benefits and limitations of mobile de-

vice management (MDM) technology and begin deploying an MDM solution,

Home

Editors Note

IT can now deploy, audit and enforce appropriate security controls.

Typically, IT can use MDM to remotely configure native device settings
to reflect security policies, including: requiring a PIN or password; enabling
auto-lock and auto-wipe features; encrypting data at rest on the device, removable media or in the cloud; protecting data-in-motion over email, VPN

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

or Wi-Fi; and selectively disabling hardware and OS features such as integrated cameras. When properly configured, these native settings deliver most
(but not all) mobile security best practices for personal smartphones and
tablets.

Mitigating BYOD Risks

With Mobile Device
Management
Systems

As previously noted, supported policies do vary by device make/model and

OS. However, mobile device management systems generally try to maximize
IT access to native settings. For example, any MDM that supports iOS device
management lets IT set every Apple-supported Configuration Profile attri-

Mdm 2.0: Meeting

New Mobility
Management Needs

bute. MDM-configured controls for Android are more varied because the devices themselves are more diverse. Notably, manufacturers such as Samsung
and Motorola have extended native APIs with proprietary attributes to give
IT greater visibility, control and flexibility.
Ultimately, mobile security management requires careful analysis of native
device and OS features needed to implement policies and confirmation that
any MDM under consideration can deliver visibility and control over those
features. Where native capabilities are insufficient, MDMs can also help by
deploying, configuring and enforcing third-party security measures.
For example, health care organizations often use MDM to centrally deploy

8 M O B I L E D EV I C E M A NAG E M E N T

DEPLOYING MDM

two-factor authentication, VPN clients and virtual desktop applications. Enterprises concerned about mobile malware can use MDM to push sandboxed
browsers and antimalware. To an MDM, these are simply applications that
must be installed and maintained. For this reason, organizations focused
on MDM to enable security should also evaluate each products application
management capabilities.
ENFORCING COMPLIANCE WITH MDM TECHNOLOGY

For small mobile workforces, IT could enroll devices one by one, manually
Home

Editors Note

installing required security and business applications, but that does not scale
nor does it enable continuous monitoring and enforcement. This is where
MDM technology can yield return on investment through logging, auditing
and compliance enforcement.
Mobile device management systems can capitalize on their over-the-air

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

access to enrolled smartphones and tablets. Even if devices never return to

the office, MDMs can poll them to verify settings and detect events such as
PIN disablement or blacklisted application installation. Some mobile devices
and settings can be monitored from afar using nothing more than native

Mitigating BYOD Risks

With Mobile Device
Management
Systems

APIsnotably Apple iPads and iPhones. Deeper than EAS insight on other
devices (e.g., Android, Windows Mobile) usually requires installing a deviceresident MDM agent.
Today, MDM vendors publish their agents at the Google Android Mar-

Mdm 2.0: Meeting

New Mobility
Management Needs

ket or the Apple AppStore where users can freely download them. Upon installation, agents connect to a corporate MDM server that may be installed
on-premises, hosted by a managed service provider, or operated as a cloud
service. Thereafter, MDM agents can serve as ITs eyes and ears, logging activities, reporting on events, and carrying out MDM requests that go beyond
native capabilities.
For example, it has become common for MDM agents to offer jailbreak or
root detection. Jailbreaking or rooting pose business risks because they render the underlying OS unreliable and raise concerns about device integrity.
Jailbroken Apple devices are vulnerable to mobile malware downloaded from

9 M O B I L E D E V I C E M A N AG E M E N T

DEPLOYING MDM

non-Apple websites. Rooted Android devices are even more vulnerable because applications can access normally privileged features.
By immediately detecting such activity, MDM agents can notify administrators and users. IT can even install enforcement policies that automatically
take actions such as disabling email or VPN access or removing enterprise
applications or even wiping an offending device. Although available actions
are limited by the mobile OS, they can still go a long way towards reducing
business risk and encouraging voluntary compliance.

Home

Editors Note

TEST-DRIVE MDM SYSTEMS BEFORE BUYING

Like any other technology designed to assist IT with security enforcement,

MDM is a means to an end. Organizations should not expect MDMs to magically keep a mobile workforce secure any more than a firewall can be expected
to keep a corporate network safe. MDMs require careful selection, based on

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

ability to meet business needs, implement desired policies, integrate with

existing infrastructure and support workflows.
Those workflows and related IT processes should not be left as a post-deployment exercise. Diversity within the multi-platform MDM market be-

Mitigating BYOD Risks

With Mobile Device
Management
Systems

comes most apparent when organizations begin to use products to manage

real-world devices. For best results, pilot a few MDM products by attempting
to assert and enforce an acceptable use policy on various devices of importance to your workforce. n

Mdm 2.0: Meeting

New Mobility
Management Needs

1 0 M O B I L E D E V I C E M A N AG E M E N T

4
MDM 2.0

MDM 2.0: Meeting New Mobility

Management Needs
While security teams are getting a grip on smartphones and tablets

through basic mobile device management (MDM), enterprise mobility reHome

Editors Note

quirements continue to evolve. To address these advanced needs, better integrated and more granular MDM tools are emerging. Lets look at some of
these innovations and how to put them to work.
MDM products initially focused on device inventory and provisioning but
have expanded to address a broader range of needs, from security controls to

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

expense management. However, BYOD is now driving interest in more granular tools to manage not only entire devices, but also the individual business
assets carried on them, specifically, applications and content.
Todays MDM products often include application management functions,

Mitigating BYOD Risks

With Mobile Device
Management
Systems

ranging from software inventory and whitelist/blacklist controls to application installation, configuration, update and disablement/removal. One innovation called app wrapping beefs up enterprise apps to meet security
requirements. Fiberlink Communications Corp.s MaaS360 Secure Produc-

Mdm 2.0: Meeting

New Mobility
Management Needs

tivity Suite can unpack IT-uploaded apps; insert canned security functions
(such as authentication or data leak prevention); and repack them for deployment onto managed devices. This can help employers deliver consistently
secured apps without relying only on highly variable native device and app
capabilities.
Another trend is decoupling securely managed data from full-blown device
management. AirWatchs Mobile Content Management product combines
basic device enrollment and compliance with data-centric functions, including a secure container in which to place enterprise data and tools that IT
can use to deploy, update and delete data. When a BYOD is enrolled, IT can

1 1 M O B I L E D EV I C E M A NAG E M E N T

4
MDM 2.0

auto-push documents to a secure storage area that is subject to policies that

control offline viewing, cut/paste and other document security management
activities. If that BYOD later becomes non-compliant, IT can remove the
container and its documents without needing or having the ability to wipe
the entire device.
RESPECTING PERSONAL PRIVACY

More granular application and content management capabilities can help IT

enable broader mobility with less effect on personal privacy. However, some
Home

Editors Note

MDM products are moving to offer more granular privacy options to address
both employee and legal/regulatory
concerns.
BlackBerry Enterprise Service 10
includes BlackBerry Balance, a manage-

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

ment capability that carves out separate

secure Work and Personal spaces
on BlackBerry 10 devices. This dual
persona approach offers more than a

Mitigating BYOD Risks

With Mobile Device
Management
Systems

secure container; it creates an IT-managed, authenticated, encrypted Work

Space in which employees can inter-

Another way in which

MDM products are
moving to enable personal freedom in concert with IT control is
geo-fencing. This technique combines a users
current location with
IT-defined policies.

act with corporate email, secure Web

Mdm 2.0: Meeting
New Mobility
Management Needs

browsing and other business applications. Employees have the freedom to install anything they want in their own Personal Space, without being shackled
by IT policies, or worrying about IT snooping on private activities.
Another way in which MDM products are moving to enable personal freedom in concert with IT control is geo-fencing. This technique combines a
users current location with IT-defined policies. Citrix Systems Inc.s ZenMobile MDM product can enforce proxy-based URL filters and disable device capabilities, such as cameras when used inside a secure facility, but
automatically lift those restrictions when that device moves outside the
fence. However, location-awareness can be a double-edged sword; theres

1 2 M O B I L E D E V I C E M A N AG E M E N T

4
MDM 2.0

a difference between using current location to make policy decisions and

tracking historical location. The latter can raise privacy concerns and so
should be done only with care and, of course, consent.
LEVERAGING INTEGRATION

As MDM products mature, they are becoming better integrated with existing enterprise infrastructure. Tighter integration can facilitate business mobility. For example, enterprise SharePoint resources or cloud data services
made available to mobile users via integration with managed secure containHome

Editors Note

ers. In addition, MDM integration with infrastructure can be helpful in delivering seamless, secure mobile user experience.
Enterprise identity management is a hot area of innovation for MDM
products. Most MDM products can be configured to interface with enterprise
directoriesmost often Active Directory or LDAbinding enrolled devices

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

to authorized user identities and, perhaps, their group memberships. SecureAuth Corp.s IdP is one product that takes identity management integration
further by using identity and access management (IAM) and single-sign-on
as a mobile gateway into the enterprise. For example, rather than granting ac-

Mitigating BYOD Risks

With Mobile Device
Management
Systems

cess to managed mobile devices, IdP grants mobile access to enrolled users,
based on authenticated identity and SSO tokens.
TIGHTER INTEGRATION

Mdm 2.0: Meeting

New Mobility
Management Needs

MDM products are also achieving tighter integration with enterprise WLAN
infrastructure, in effect using the network as a springboard for more automated device enrollment. Networks composed of wireless access points and
switches from Aerohive can be configured to detect and fingerprint new mobile devices, automatically redirecting them to a JAMF Software or AirWatch
MDM enrollment portal for zero-touch provisioning. Integrated approaches,
such as these, make it easier to expand mobility to more users while deterring enterprise access by unknown and potentially risky BYODs.
As these examples show, todays MDM products are no longer monolithic
systems focused on basic device management and little more. In fact, as

1 3 M O B I L E D E V I C E M A N AG E M E N T

4
MDM 2.0

MDM products grow more capable and sophisticated, many are being decoupled into a la carte capabilities, which allow IT to manage and secure mobility differently for each business unit or workgroup.
So dont be fooled by labels; dig deeper into the actual capabilities offered
by each MDM product, looking for innovations that can help your organization expand mobility to diverse users and manage their risks effectively. The
same MDM product may well support enterprise identity-based, full-device management for high-risk workers; lighter-weight but secure data-only
management for knowledge workers; and securely-wrapped app management
Home

Editors Note

to enable narrow access by all other mobile workers.

In short, avoid thinking about MDM as a tool for old-school corporate device lockdown. Develop use cases and desired security policies that focus on
managing and security only at-risk corporate assets, then let those policies
drive your search for suitable MDM products and capability packages. n

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

Mitigating BYOD Risks

With Mobile Device
Management
Systems

Mdm 2.0: Meeting

New Mobility
Management Needs

1 4 M O B I L E D E V I C E M A N AG E M E N T

ABOUT
THE
AUTHOR

LISA PHIFER owns Core Competence, a

consulting firm specializing in business

use of emerging network and security
technology. She has been involved in the
design, implementation and evaluation
of internetworking, security and management products for 30 years.

This Technical Guide on Mobile Device

Management is a Security Media Group
e-publication.
Robert Richardson
Editorial Director
Eric Parizo
Senior Site Editor

Home

Kathleen Richards
Features Editor

Editors Note

Kara Gattine
Senior Managing Editor
Rachel Shuster
Associate Managing Editorr

BYOD Increase Calls

For Enterprise Mobile
Device Management
Systems

Linda Koury
Director of Online Design
Neva Maniscalco
Graphic Designer

Mitigating BYOD Risks

With Mobile Device
Management
Systems

Doug Olender
Vice President/Group Publisher
dolender@techtarget.com
TechTarget
275 Grove Street, Newton, MA 02466
www.techtarget.com

Mdm 2.0: Meeting

New Mobility
Management Needs

2013 TechTarget Inc. No part of this publication

may be transmitted or reproduced in any form or
by any means without written permission from the
publisher. TechTarget reprints are available through
The YGS Group.
About TechTarget: TechTarget publishes media
for information technology professionals. More than
100 focused websites enable quick access to a deep
store of news, advice and analysis about the technologies, products and processes crucial to your job.
Our live and virtual events give you direct access to
independent expert commentary and advice. At IT
Knowledge Exchange, our social community, you
can get advice and share solutions with peers and
experts.

1 5 M O B I L E D E V I C E M A N AG E M E N T