Mobile Device Management

Mobile Device Management also known as MDM is a solution to secure and monitor mobile devices used in an organization. MDM can offer a number of features for mobile devices in an organization such as:

  • Remote Wiping
  • Remote Locking
  • Passcode Requirements
  • Remote Unlocking
  • Installing Managed Applications
  • Enforcing & Verifying Encryption
  • Ensuring Compliance with Company Policies

 

Previously most mobile device management was done through a Blackberry Enterprise Server as many phones issued by organizations were BlackBerrys. The landscape of mobile devices has been changing and evolving very rapidly and BlackBerry devices are no longer the dominate force they once were. Many organizations have also been adopting a BYOD (bring your own device) model which means that employees are using their personal devices for work purposes. This can create issues where device security compliance needs to be monitored and enforced but without an MDM there is not an easy way to manage many different devices from different manufacturers. As new devices come out the MDM that is managing those needs to be able to evolve to manage the new risks and features on those devices.

Network Integration:

With the growing cost of mobile data and the switch from carriers offering unlimited data to tiered data (charging by gigabyte) as well as some devices only having Wi-Fi and not a cellular connection it may be necessary to have the ability to connect mobile devices to your corporate Wi-Fi network. This can bring in a new host of problems and security risks for the organization though. Some organizations offer guest networks that operate on the same infrastructure as the corporate network but are isolated by security measures. Depending on how the guest network is integrated into the infrastructure you could use MDM to act as a gateway to the network. Before allowing the device to connect to the network, it is important to determine the posture of the device which means verifying such things as: is it rooted (jail broken), does it have anti-virus, or is it in compliance with company policy. Even though the guest network may be isolated from the main network there is still a chance that an attack could occur from a mobile device just as easily as it could from a laptop or any other device that is able to connect to the network.

Remote Connectivity:

In some cases it might be part of policy to always have the device VPN into the organization’s network in order to access the organizational resource’s rather than relying solely on SSL encryption to protect data in transit. The ability to deploy the VPN connection settings to managed devices may be integrated depending on the MDM solution. A VPN can supply an additional layer of data security to data that is traveling across untrusted networks such as public Wi-Fi or home internet connections.

Handling Changes in Workplace:

When an employee contacts the IT department and says they have lost their phone or an employee leaves the organization either planned or unexpected you have to be able to handle those situations. An MDM solution is a way to help address those issues, allowing for a remote wipe of a device that was lost before it gets into the hands of an unauthorized person. Even if a device does get into the hands of an unauthorized person if encryption was enforced the data should be relatively safe. In the event of an employee leaving the organization the devices they used could be securely wiped so they are not leaving with confidential information.

Types of MDMs:

There are a number of types of mobile device management solutions available for organizations and some may already exist in the organization’s infrastructure. A number of organizations use a centralized email service such as Exchange or Google Apps for Business, both of which have some capabilities of mobile device management without adding additional licensing costs to the organization. Other solutions exist as well that can either be a cloud-based service, which would mean the organization would not have software installed locally but instead use an external provider. Some other MDM solutions may involve locally hosted hardware or software. Selecting a MDM solution for the organization can be a difficult process as there are many solutions available in the market. Choosing a system will depend on the needs of the organization, some may just desire the ability to remotely wipe, locate, or lock a phone while others may need the ability to control the applications that are downloaded to the device and enforce VPN policies.

Comparing some MDM Solutions:

This chart compares some popular MDM solutions based on their features. This was compiled using the information available from the manufacturer website and may change over time. Certain features have caveats such as minimum operating system version. This chart only covers Android and iOS devices.
 

Comparison of MDM solutions
Features
Exchange 2010
Google Apps for Business
Symantec Mobile Device Management
Airwatch
Passcode Requirement
Yes
Yes
Yes
Yes
Passcode Complexity
Yes
Yes
Yes
Yes
Wiping Device after invalid attempts
Yes
Yes
Yes
Yes
Encryption Requirements (device)
Yes*
Yes*
Yes*
Yes*
Encryption Requirements (storage device)
Yes*
Yes*
Yes*
Yes*
Disable Text Messaging
Varies
No
No
No
Remote Wipe
Yes
Yes
Yes
Yes
Restrict External Storage
Yes
No
Yes
Yes
Restrict Camera
Yes+
Yes+
Yes+
Yes+
Restrict Wi-Fi
Yes
No
Yes
Yes
Restrict Bluetooth
Yes
No
Yes
Yes
Quarantine Devices
Yes
Yes
Yes
Yes
Block Devices
Yes
Yes
Yes
Yes
Depoly VPN configuration
No
No
Yes
Yes
Root / Jailbroken Detection
No
No
Yes
Yes
Mobile Application Management
No
No
Yes
Yes

* Encryption on Android requires Android 3.0 or greater and on iOS devices a hardware capable device
+ Requires Android or iOS 4.0 or greater
Sources:
Airwatch: http://www.air-watch.com/solutions/bring-your-own-device-byod
Exchange: http://technet.microsoft.com/en-us/library/aa998357.aspx
Google Apps: https://support.google.com/a/bin/answer.py?hl=en&answer=1408902&topic=1734198&ctx=topic
Symantec Mobile Device: https://www.symantec.com/content/en/us/enterprise/fact_sheets/b-sym-mobile-management-configuration-manager-DS_21257284-1.en-us.pdf

Exchange is an email and communication system by Microsoft, it is quite common in medium to large organizations. It offers some basic MDM functionality for devices that are connected to it for email services but is not a full MDM solution. In basic testing some devices that were not compliant with the policies that were created were still showed as having full compliance so verification is important when using this solution.

Google Apps for Business is a competitor to Exchange and offers cloud based email and communication. It has some MDM functionality for devices that are connect to it for email services but it is not a full MDM solution. To enforce policies on Android devices the users must download and install Google Apps Device Policy from the Google Play Store.

Symantec Mobile Device Management is an MDM solution that is designed to fit in a larger Symantec enterprise solution. It offers a more complete MDM experience than Exchange or Google Apps for Business.

Airwatch is an MDM solution that allows organizations to have very granular control over devices including which applications are allowed to be installed on the device. It covers a wide array of devices including BlackBerrys, which are not offered by many other solutions.