What To Look For In A Mobile Device Management MDM Solution

MDM solutionIT administrators are being asked to come up with ways to permit mobile devices onto the corporate network in a secure fashion (via MDM Solution or other technology) . This subject touches a few technology areas such as access control, secure wireless, data protection and secure management of mobile devices however the focus for this piece will be mobile device management. Members of my team have tested the MDM leaders such as Mobile Iron, Airwatch, Zenprise, Good Technology, McAfee, Symantec, etc. and summed up the following as things to consider when evaluating a Mobile Device Management solution.

The first thing to consider is your desired MDM Solution Policy. Typically there are three scenarios to address:

1) GUESTS / PERSONAL DEVICESDevices coming on the network as guests that you don’t manage or access internal data

2) CONTRACTORS / PERSONAL DEVICES ON NETWORK- Devices coming on network with partial access to corporate data

3) EMPLOYEES / CORPORATE  DEVICES Devices with full network access and managed by corporate.


The target of most MDM solution requirements is addressing items 2 and 3 while item 1 is typically covered by an access control technology. The two common approaches taken by MDM vendors are a sandbox or endpoint management offering. Sandbox or secure container technologies provide the most security by protecting corporate data within a sandbox application. Policies for encryption, data loss prevention and limiting data access can be controlled through MDM issued access methods rather than what is offered by the device manufactures. Most mobile device offerings give power to users (all but blackberry) however sandbox technology protects the data regardless of rights provided to users. The main con against the sandbox approach is not utilizing native device applications such as built in email, which tends to impact user acceptance. Good Technologies is an example of a sandbox based MDM solution.

MDM solutions that offer an endpoint management approach support specific vendors (Apple iOS, Android, etc) and compliment existing native applications. Application management MDM solutions leverage an agent on mobile devices to control applications as well as issue commands such as remotely wiping sensitive data. Its hard to say application management MDM solutions address a specific threat category however risk is dramatically reduced by using them to remove hacked / jail-broken devices, permitting approved applications and managing native security options such as passwords and data removal. Application management MDM solutions tend to be more suited for “Bring your own device” requirements while sandboxed MDM solutions favor corporate issued mobile devices.

Other factors to consider are provisioning mobile devices and proper control of data access. Consider the activation and enrollment options for the three use cases listed above (Guests, Contractors and Employees). Can employees register personal devices for access via a GUI or will it require an administrator? How well does the MDM solution assign and manage corporate controlled devices? What are the maintenance options regarding standardizing and upgrading mobile device software for corporate managed assets? Can the MDM solution provide reports listing all applications on mobile devices accessing the network? A strong MDM solution should handle all of these, which specific data access is controlled based on how users authenticate via local authentication or advance access control solutions.

The final thing to consider is MDM security features which usually are common across the leading vendors. Top features include verifying device configuration policies such as checking for hacks or jailbreaks. Policies should be flexible depending on if devices are corporate or personal. Mobile device applications should be verified and controlled to avoid vulnerable software such as a game with backdoor malicious intent. Remote wipe capabilities should be available and focus only on corporate data (IE do not wipe personal email, contacts, etc. without the end-users’ permission). Data protection such as password enforcement should be enabled  through a centralized platform. All of these features should be displayed in a report so leadership can verify the security status of mobile devices accessing corporate data.

Every MDM vendor has their own way to accomplish its features so it’s a good idea to develop your policy and match it to MDM solution rather than an open comparison between products. Hopefully this gives you some points to consider for your MDM evaluation. Also note subjects like access control, two-factor authentication, secure wireless and other technologies should be considered for a complete solution.

VN:F [1.9.22_1171]
Rating: 5.0/5 (4 votes cast)
What To Look For In A Mobile Device Management MDM Solution, 5.0 out of 5 based on 4 ratings

14 thoughts on “What To Look For In A Mobile Device Management MDM Solution”

  1. Thanks for publishing your information. You wrote something about an evaluation of the leading MDM vemdors. Could you tell me/us a bit more about the results?

    Tanks.

    VA:F [1.9.22_1171]
    Rating: 3.0/5 (1 vote cast)
    1. Sure I’ll do a focused post shortly. The vendors we looked at were Mobile Iron, AirWatch, Zen and Good technologies. We like Mobile Iron and AirWatch the best. I just finished the Mobile Iron Engineering class and will post a summary. Thanks for reading

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
      1. Hi,
        Do you have the info on the engineering class and summary of MI and Airwatch?

        Ashwin

        VA:F [1.9.22_1171]
        Rating: 0.0/5 (0 votes cast)
        1. Hi Ashwin. What do you mean? Are you interested in level of effort to deploy each solution? What certifications they hold (CC, etc?)? Not sure what you are looking for but happy to help.

          VN:F [1.9.22_1171]
          Rating: 0.0/5 (0 votes cast)
  2. Thanks for this very useful starter in the MDM decision process.

    You say Sandbox favours corporate issued devices? Based purely on research, with no hand on experience I personally feel it is the other around. With a sand-boxed deployment the corporates is by default protected and only needs to worry about maintaining the security and integrity of the sandbox contents, leaving the user to load what ever their heart desires on their own device safe in the knowledge my corporate data is tucked away in its secure sandbox. All other aspects of the mobile device (apps, angry birds!) are of no concern to the corporate.

    As opposed to the end point management method where the corporate now has the added overhead of knowing about, managing and keeping up with the plethora of other apps and functions that the user inherently has control over, being they have brought their own device.

    I look forward to be corrected!

    VA:F [1.9.22_1171]
    Rating: 5.0/5 (3 votes cast)
    1. Hi
      Thanks for the article, very interesting and topical for my current challenges. While I fully appreciate each scenario is unique, I do agree with Olly on this point. If I was to advise my personal device users that I was going to run an agent on their device which will allow me to observe the whole device and enforce security settings and potentially restrict native functionality along with being able to wipe the device, they would no doubt laugh in my face. While endpoint solutions allow native functionality, concerns are often raised via security regarding data loss.
      While some Sandbox products out there allow elements of MDM, they are not key to providing the Sandbox.
      Thanks

      VA:F [1.9.22_1171]
      Rating: 5.0/5 (1 vote cast)
      1. Hi Geoff,

        You bring a very valid point. Honestly every corporation is going to have unique business requirements, which also means a customized solution. The purpose of this post is to talk about a reference architecture that some or all parts can be used to secure your network (check out this post for more info http://www.thesecurityblogger.com/?p=775 ) For very secure agencies, end user acceptance may not be as important as a commercial business use such as a hotel. If you are concerned users will not permit a agent to verify if their mobile device is secure (IE check for jailbreaks, no approved apps, password / encryption enforcement, etc.), it may make sense to focus your policy at the network level (aka ANY end pont management solution will probably not be accepted). This means using a profiling technology such as Cisco ISE to identify mobile devices and either place them on a separate VLAN or apply Access lists to limit their network access. This does not protect devices when they are off the network. You can enable a VPN client on the mobile devices (such as Cisco Any connect) if its native to that device. iPhones offer this.

        Another option to consider is Data Loss Prevention, which is becoming more capable for mobile devices. I’ve used RSA’s solution for tablets, which protects the data rather than focuses on the device. I’ve also seen solutions that provide encryption / data in motion protection that password protect sensitive data so your mobile users can access the data with proper authentication.

        Hopefully this helps. If your users would laugh in your face if required to use a sandbox or application management approach, remove them as a factor by focusing on securing your network and easy of use through guest / employee management.

        VN:F [1.9.22_1171]
        Rating: 0.0/5 (0 votes cast)
  3. Hi Olly,

    Honestly the conversation can go either way. It really comes down to the customer’s requirements. We have been delivering End Point Management solutions the majority of the time regardless of who owns the device for the reasons you mentioned. The Sandbox approach only protects what’s in the sandbox leaving the actual device vulnerable. Its like saying “lets not patch laptops anymore and just put everything in a sandbox” which most customers do the exact opposite.

    My point in this post was we see the majority of the customers purchasing sandbox technologies for corporate owned devices rather than for personal devices. That doesn’t mean from a sales viewpoint that sandbox sales are higher than endpoint management solutions. We honestly sell End Point Management technology 95% of the time which 100% of the few cases we go sandbox is for corporate owned devices. End users bringing their own devices want to use native apps and hate sandbox technology for mobile. Just my 2 cents.

    Thanks for reading

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  4. I just need to agree that Sandbox is for BYOD. Running pure MDM on a personal owned device is like taking control over a users personal computer at home, and restrict software and apply security policies to that computer.
    And then deliver corporate email to that home computer without VPN. That is not done today, so why do that on another type of personal device just because it’s a smart phone?
    Will the user accept that you block certain apps on it’s personal owned device just because the corporate policy says so?
    By using a Sandbox will you not touch any of the personal stuff but still deliver secured email or corporate Apps that need to be secured. You choose if a attachment should be readable by a app outside of the sandbox or not. If you are afraid of loosing valuable information via email attachments is MDM a nightmare. Just try it out your self by running Dropbox on a iOS and then choose to open a attachment in Dropbox and see how easy it is to upload that attachment. As the same Dropbox is used by the user for personal stuff will you not be able to prevent that app.
    I do not understand that some people still believe MDM is better suited for BYOD. And using a DLP solution were all traffic, even personal stuff after office hours are routed trough the corporate network and checked is not acceptable for personal owned devices. For companies that are working hard with security so will a MDM solution just be a enabler of these unsecured devices.
    Just my 2 cents!

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  5. Hi Magnum,

    Love the feedback. It’s very helpful. Keep in mind every environment is different. For your environment, MDM may be impossible as for others where the users would rebel against controlling their mobile devices. In other environments, users may want to use native apps and email for everything and willing to use a MDM product to have that luxury. Also some administrators may not want jailbroken devices on their network due the increase of risk (MDM solves this). Studies show the top compromised mobile devices today are Androids (due to the open platform) and jailbroken iOS devices.

    We see DOD and corporate own devices leaning more towards the sandbox approach while commercial agencies permitting personal devices with internal email privileges going the MDM route. This is just trending who is buying what. This doesn’t mean that’s the best route if you are part of those organizations but right now that is how the marketing is moving according to our numbers.

    The last note is if its hard to decide which route is best for securing mobile devices, a good place to start is securing the network using Access Control and enabling VPN as well as DLP on mobile devices. This way mobile devices are limited to what they can access via the internal network and the data on those devices is protected regardless of the risk associated with the platform.

    Hope this helps. Again great feedback!

    VN:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
  6. we have deployed airwatch. Guys BYOD is a users decision. If they are happy for their device to be used as a tool for work. After being made aware of what the effect of having policy controls on it. Then there is NO argument. Fact is companies are buying this tech for data protection on their own mobile assets. The BYOD is as discussed only a part of it. Airwatch will only wipe a company owned asset. But only destroy the sandbox in a BYOD. Which brings me to the point. It is the policy configuration scope that can cause the “You wiped my family pictures n music” problem. So make sure you configure properly or face the pain dealing with outraged employees 🙂

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    1. Hi Rob,

      This is true however there are many forms of mobile security. BYOD to a theme park is “let them get on as quick as possible to see the park map but limit to only specific things and/or internet” while BYOD to the military is “no personal devices … just government issued tablets that are locked down”. Mobile security needs to match the business mission and must be something users accept. For example, many of our customers are concerned about having personal devices on the network for risk of data loss, introducing malware and risk of destroying personal data such as family pictures. We suggest developing a policy that states “If you want to have corporate / sensitive data on your personal device, that device MUST MEET SECURITY STANDARDS. Standards are having a mobile device management solution installed to enforce password policies, encryption and a method to destroy the sensitive data if the device is compromised”. If users don’t want to agree with that, they can’t get email on that device. Employee issued devices is a different story and typically easier to “lock down” with things like MDM since its suppose to not be used for personal means.

      There are many examples of mobile security. Its best practice to match the technology to your business goals and not vice versa. Obviously miss configuring something is also a issue such as your example of wiping out personal music and pictures. Thats were the architecture of your solution is key and should be developed by somebody with industry experience. Spend the extra time and money building the right solution rather than rushing the solution.

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)
  7. I carry out IT audit work for several government departments and agencies and have examined BYOD at several of them, All were different and used different MDM solutions. I think you need to differentiate between BYOD and mobile working. Many companies already have mobile working policies and Acceptable Use Polices for laptops and these, with a few amendments) will apply to tablets. Most of the places I have looked at have tested BYOD by only allowing access from officially provided ipads. This is not true BYOD as the devices are not personal and can easily be tailored to enforce local policies. I don’t have any preference between a sandbox and endpoint management but I always recommend that the MDM solution must deliver the following facilities;
    Strong encryption, Strong passwords enforced, Remote wipe. (not much use if the sim is removed) no data storage on the device or SD card, identification of jailbreaking and automatic blocking, identification of unusual activity/loading unauthorised Apps and blocking. Some clients allow staff to access emails and attachments using webmail on personal computers but for some reason want to protect email on tablets and smartphones. The government agency GCHQ / CESG has carried out a security check on the Apple ios and has recommended numerous restrictions and security actions if it is to be considered for use for RESTRICTED level data. Unfortunately the restrictions require removal of most of the benefits of an ipad/iphone.
    The difficulty in defining security policy is the lack of strategy on what the devices will be used for and who by. Most IT department are just asked to connect senior managers and directors (and provide the ipad) without any thought of business need. Ideally a company should build a business case based upon expected savings from reducing company provided devices and increasing the use of voluntary out of hours work. The latter is difficult to quantify when use of personal devices is volutary and the levels of use unknown. Everyone seems to agree that BYOD is the answer (well all the MDM salesmen do) but no one knows what the question is.
    I would recommend that your IT unit should carry out a proof of concept trial to assess the risks, potential needs and required policies. Then managers and staff should beallowed to put forward individual cases to justify why they need to access the company networks, email and data and how this will benefit them and the company. Once the types of use and benefits can be clearly seen a business strategy can be defined and a proper business case made for wider roll out.

    VA:F [1.9.22_1171]
    Rating: 0.0/5 (0 votes cast)
    1. Hi Geoff,

      I completely agree that the term BYOD doesn’t apply to many government agencies. It should be could mobile security covering devices issued by the government rather than just personal devices however the popular marketing title for this security space is BYOD.

      Regarding your recommendations for MDM, we see the same as top requirements. Encryption is very important. Usually we see selective remote wipe meaning only wipe specific company data. Jailbreak detection is important however there are ways to load unauthorized apps without jailbreaking (I have tested this). Other value we hear about is being able to remotely locate devices and change passwords. This saves IT tons of time dealing with employees misplacing devices or forgetting passwords.

      We also see many agencies moving forward with permitting mobile devices without a plan and later trying to adapt rather than being strategic about providing access. This typically is caused by somebody with power getting a iPad and demanding full access. We recommend starting off with a mobile only policy that puts all devices into a separate network and slowly move access over using Network Access based technology. This way you know what types of devices are coming on the network, who is using them and slowly can identify how they should gain access to internal resources if needed. I also recommend a insider threat solution that monitors if mobile or other devices are compromised and bypass security. This way MDM or Access control are not your only layers of security.

      Nice comments. Thanks for reading

      VN:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)

Leave a Reply

Your email address will not be published.

Time limit is exhausted. Please reload CAPTCHA.