IT administrators are being asked to come up with ways to permit mobile devices onto the corporate network in a secure fashion (via MDM Solution or other technology) . This subject touches a few technology areas such as access control, secure wireless, data protection and secure management of mobile devices however the focus for this piece will be mobile device management. Members of my team have tested the MDM leaders such as Mobile Iron, Airwatch, Zenprise, Good Technology, McAfee, Symantec, etc. and summed up the following as things to consider when evaluating a Mobile Device Management solution.
The first thing to consider is your desired MDM Solution Policy. Typically there are three scenarios to address:
1) GUESTS / PERSONAL DEVICES – Devices coming on the network as guests that you don’t manage or access internal data
2) CONTRACTORS / PERSONAL DEVICES ON NETWORK- Devices coming on network with partial access to corporate data
3) EMPLOYEES / CORPORATE DEVICES – Devices with full network access and managed by corporate.
The target of most MDM solution requirements is addressing items 2 and 3 while item 1 is typically covered by an access control technology. The two common approaches taken by MDM vendors are a sandbox or endpoint management offering. Sandbox or secure container technologies provide the most security by protecting corporate data within a sandbox application. Policies for encryption, data loss prevention and limiting data access can be controlled through MDM issued access methods rather than what is offered by the device manufactures. Most mobile device offerings give power to users (all but blackberry) however sandbox technology protects the data regardless of rights provided to users. The main con against the sandbox approach is not utilizing native device applications such as built in email, which tends to impact user acceptance. Good Technologies is an example of a sandbox based MDM solution.
MDM solutions that offer an endpoint management approach support specific vendors (Apple iOS, Android, etc) and compliment existing native applications. Application management MDM solutions leverage an agent on mobile devices to control applications as well as issue commands such as remotely wiping sensitive data. Its hard to say application management MDM solutions address a specific threat category however risk is dramatically reduced by using them to remove hacked / jail-broken devices, permitting approved applications and managing native security options such as passwords and data removal. Application management MDM solutions tend to be more suited for “Bring your own device” requirements while sandboxed MDM solutions favor corporate issued mobile devices.
Other factors to consider are provisioning mobile devices and proper control of data access. Consider the activation and enrollment options for the three use cases listed above (Guests, Contractors and Employees). Can employees register personal devices for access via a GUI or will it require an administrator? How well does the MDM solution assign and manage corporate controlled devices? What are the maintenance options regarding standardizing and upgrading mobile device software for corporate managed assets? Can the MDM solution provide reports listing all applications on mobile devices accessing the network? A strong MDM solution should handle all of these, which specific data access is controlled based on how users authenticate via local authentication or advance access control solutions.
The final thing to consider is MDM security features which usually are common across the leading vendors. Top features include verifying device configuration policies such as checking for hacks or jailbreaks. Policies should be flexible depending on if devices are corporate or personal. Mobile device applications should be verified and controlled to avoid vulnerable software such as a game with backdoor malicious intent. Remote wipe capabilities should be available and focus only on corporate data (IE do not wipe personal email, contacts, etc. without the end-users’ permission). Data protection such as password enforcement should be enabled through a centralized platform. All of these features should be displayed in a report so leadership can verify the security status of mobile devices accessing corporate data.
Every MDM vendor has their own way to accomplish its features so it’s a good idea to develop your policy and match it to MDM solution rather than an open comparison between products. Hopefully this gives you some points to consider for your MDM evaluation. Also note subjects like access control, two-factor authentication, secure wireless and other technologies should be considered for a complete solution.
4 thoughts on “What To Look For In A Mobile Device Management MDM Solution”
we have deployed airwatch. Guys BYOD is a users decision. If they are happy for their device to be used as a tool for work. After being made aware of what the effect of having policy controls on it. Then there is NO argument. Fact is companies are buying this tech for data protection on their own mobile assets. The BYOD is as discussed only a part of it. Airwatch will only wipe a company owned asset. But only destroy the sandbox in a BYOD. Which brings me to the point. It is the policy configuration scope that can cause the “You wiped my family pictures n music” problem. So make sure you configure properly or face the pain dealing with outraged employees 🙂
This is true however there are many forms of mobile security. BYOD to a theme park is “let them get on as quick as possible to see the park map but limit to only specific things and/or internet” while BYOD to the military is “no personal devices … just government issued tablets that are locked down”. Mobile security needs to match the business mission and must be something users accept. For example, many of our customers are concerned about having personal devices on the network for risk of data loss, introducing malware and risk of destroying personal data such as family pictures. We suggest developing a policy that states “If you want to have corporate / sensitive data on your personal device, that device MUST MEET SECURITY STANDARDS. Standards are having a mobile device management solution installed to enforce password policies, encryption and a method to destroy the sensitive data if the device is compromised”. If users don’t want to agree with that, they can’t get email on that device. Employee issued devices is a different story and typically easier to “lock down” with things like MDM since its suppose to not be used for personal means.
There are many examples of mobile security. Its best practice to match the technology to your business goals and not vice versa. Obviously miss configuring something is also a issue such as your example of wiping out personal music and pictures. Thats were the architecture of your solution is key and should be developed by somebody with industry experience. Spend the extra time and money building the right solution rather than rushing the solution.
I carry out IT audit work for several government departments and agencies and have examined BYOD at several of them, All were different and used different MDM solutions. I think you need to differentiate between BYOD and mobile working. Many companies already have mobile working policies and Acceptable Use Polices for laptops and these, with a few amendments) will apply to tablets. Most of the places I have looked at have tested BYOD by only allowing access from officially provided ipads. This is not true BYOD as the devices are not personal and can easily be tailored to enforce local policies. I don’t have any preference between a sandbox and endpoint management but I always recommend that the MDM solution must deliver the following facilities;
Strong encryption, Strong passwords enforced, Remote wipe. (not much use if the sim is removed) no data storage on the device or SD card, identification of jailbreaking and automatic blocking, identification of unusual activity/loading unauthorised Apps and blocking. Some clients allow staff to access emails and attachments using webmail on personal computers but for some reason want to protect email on tablets and smartphones. The government agency GCHQ / CESG has carried out a security check on the Apple ios and has recommended numerous restrictions and security actions if it is to be considered for use for RESTRICTED level data. Unfortunately the restrictions require removal of most of the benefits of an ipad/iphone.
The difficulty in defining security policy is the lack of strategy on what the devices will be used for and who by. Most IT department are just asked to connect senior managers and directors (and provide the ipad) without any thought of business need. Ideally a company should build a business case based upon expected savings from reducing company provided devices and increasing the use of voluntary out of hours work. The latter is difficult to quantify when use of personal devices is volutary and the levels of use unknown. Everyone seems to agree that BYOD is the answer (well all the MDM salesmen do) but no one knows what the question is.
I would recommend that your IT unit should carry out a proof of concept trial to assess the risks, potential needs and required policies. Then managers and staff should beallowed to put forward individual cases to justify why they need to access the company networks, email and data and how this will benefit them and the company. Once the types of use and benefits can be clearly seen a business strategy can be defined and a proper business case made for wider roll out.
I completely agree that the term BYOD doesn’t apply to many government agencies. It should be could mobile security covering devices issued by the government rather than just personal devices however the popular marketing title for this security space is BYOD.
Regarding your recommendations for MDM, we see the same as top requirements. Encryption is very important. Usually we see selective remote wipe meaning only wipe specific company data. Jailbreak detection is important however there are ways to load unauthorized apps without jailbreaking (I have tested this). Other value we hear about is being able to remotely locate devices and change passwords. This saves IT tons of time dealing with employees misplacing devices or forgetting passwords.
We also see many agencies moving forward with permitting mobile devices without a plan and later trying to adapt rather than being strategic about providing access. This typically is caused by somebody with power getting a iPad and demanding full access. We recommend starting off with a mobile only policy that puts all devices into a separate network and slowly move access over using Network Access based technology. This way you know what types of devices are coming on the network, who is using them and slowly can identify how they should gain access to internal resources if needed. I also recommend a insider threat solution that monitors if mobile or other devices are compromised and bypass security. This way MDM or Access control are not your only layers of security.
Nice comments. Thanks for reading