For many years, Blackberry mobile devices were the only ones allowed onto most corporate networks, and a Blackberry Enterprise Server (BES) was typically used to look after the security and management of these devices. But now many companies are investing in more flexible, less platform-specific mobile device management (MDM) platforms.
The driver for MDM adoption is the take-up of mobile devices by C-level executives, according to Christian Kane, an analyst at Forrester. "If VIP users are saying that they have got iPads, IT is going to have to support them. They are going to have to provide baseline security," he said. More general 'Bring your own device' (BYOD) programs have made the problem more acute, not least because most employees are choosing iOS-based devices or, to a much lesser extent, devices based on the Android mobile platform, he said.
Phil Redman, an analyst at Gartner, believes that any company that allows non-Blackberry mobile devices onto their network has no choice but to invest in an MDM. "Unlike Blackberry, platforms like iOS and Android are not built with the enterprise in mind," he said. "They are simply not as secure as Blackberry, and to make them secure, companies have to spend some money."
While it may be true that very small organizations can manage the data on employees' mobile devices individually, for most organizations this solution rapidly becomes impossible. "There is simply no way to do risk management of mobile devices by hand," said Michael Davis, CEO of security consultancy Savid Technologies. "There are simply too many security knobs to turn and different users to deal with in most organizations."
The core driver, then, for purchasing an MDM solution is security, and any good MDM platform must therefore offer a comprehensive range of security features. These should include:
- Enforcing device PIN/password usage: Ensuring that the device can only be accessed after entering a (usually) four-digit PIN or, preferably, a password or phrase that is not easily guessable.
- Remote device lock/wipe: The ability for administrators to lock or delete the data - either all data or just corporate data - from a device that is reported lost or stolen.
- Data encryption: Activating on-device data encryption on platforms such as iOS that have it built in, or adding this functionality to platforms such as Android that might not.
- Jailbreak/root detection: Jailbreaking or rooting a mobile device frees it from many OS-level security restrictions, and may also enable users to bypass security controls imposed by an MDM. For that reason, it is vital that an MDM can detect when a device has been jailbroken or rooted.
- Data loss prevention: Preventing certain categories of corporate data to be sent from the device by specified means, such as email.
Once an organization moves from supporting a single type of device (such as BlackBerry smartphones) to supporting employee-owned devices of their own choosing, management tasks such as device configuration and updating become extremely complex. At a minimum, an MDM system must therefore provide:
- Remote configuration: This should include security, and application configuration settings, and imposing policies (such as who can access certain corporate applications from mobile devices) based on Active Directory groups.
- Remote operating system and application updating: Ensuring that employees have consistent versions of OS and application software reduces security risks and reliability issues.
- Remote inventorying: This allows IT staff or MDM policy engines to see the internal state of mobile devices such as security configuration problems, spot compliance or security issues and perform remediation or alert users to possible problems.
- Remote control: Remote control capabilities provide a quick and efficient way for IT staff to fix many common user problems.
Provision of control over mobile applications is rapidly becoming a standard requirement for MDM vendors. In part this stems from the rising number of malicious applications that are appearing on the Android platform, as well as a recognition that many organizations are rolling out their own mobile applications for employees to use.
"What we have been seeing in the last year is that while customers view security as the primary driver for buying an MDM, the ability to manage mobile apps has rapidly become the secondary driver," said Ojas Rege, strategy vice president at California-based MDM vendor MobileIron. "What this comes down to is the ability both to keep bad apps out of devices and to allow good apps in."
Important application management features include:
- Applications whitelists and blacklists: Whitelisting provides a way for organizations to provide access to certain corporate applications by policy based on which group a given user belongs to. Blacklisting prevents users from downloading malicious or undesirable applications.
- Enterprise app stores: Many organizations make it a condition of employee-owned device usage that applications can only be downloaded and installed from an enterprise app store, the content of which is controlled by the IT department.
- App security: Some MDMs provide "application wrapping," or the ability to put policies into the library of an application so that, for example, users can't cut and paste from the app or move documents out of it.
- Data wipe by application: When an employee leaves an organization or changes role, a particular application's data can be removed from a device without affecting the rest of the data it holds.
MDM product differentiation
To a very large extent MDM vendors are restricted in the control that their products can exercise over a given device by the APIs that the device maker chooses to expose in its mobile operating system. That means that while every MDM platform is different, many of the core features and functionality are the same.
The ways that vendors differentiate their products include:
- Cloud delivery: MDM platforms are typically installed on premises, on dedicated servers, or as a physical or virtual appliance. But vendors (and managed service providers) are beginning to offer MDM platforms as a service from the cloud. Gartner estimates that around 15% of MDM implementations are currently provided from the cloud, and predicts that this figure will grow in the coming months. "You often still need proxy servers in your organization, even if you are using a cloud provider, but MDM as a service can scale better: MDM platforms may only support 25,000 users per server," said Redman. "Cloud based MDM is also appealing to smaller organizations," he added. Cloud based services cost around $60 per device per year, but Gartner expects this to fall by 50% over the next few years.
- Mobile operating system support: The overwhelming demand from customers is for support for iOS (58%), Blackberry (20%) and Android (9%), according to Redman. However, support for other platforms such as Microsoft's Window Phone 7 may also be important to some organizations.
- Integration with security and service management platforms. Some vendors such as Symantec and Boxtone provide integration with management platforms such as Microsoft's System Center or similar ones from HP, IBM or CA Technologies. And vendors such as Symantec and McAfee also provide integration with security policy engines from their own security products.
- Telephone expense management (TEM): TEM has traditionally been the responsibility of the telecom manager, and quite separate from the IT group responsible for security, compliance and mobile device management in general. But MDM vendors such as Tangoe are increasingly adding TEM capabilities into their MDM products to help manage voice and especially data charges and alert administrators when large bills are being incurred.
- Enterprise content management: Consumers are accustomed to the convenience of cloud-based storage systems like Dropbox, and these types of services are increasingly being used by corporate employees to store and synchronize corporate files and data. Enterprise content management features remove some of the security risks of using these services. "This is different from data loss prevention, which scans content and prevents it being sent outside the organization. This is more about how providing a secure way for documents to be accessed and stored on a mobile device," said Redman.
- Remediation: MDMs differ in what they can do if a user tries to carry out an activity that is in breach of a mobile policy, such as jailbreaking their device or attempting to download a blacklisted app. Some systems simply prevent users from carrying out such actions, while others notify the IT department that a device has fallen out of compliance so that the user can be warned. If this warning is ignored some MDMs have the capability to selectively remove all corporate data, apps and connectivity so that the employee-owned device reverts to being a consumer handset.
But Forrester's Kane warns that the features that differentiate products can change very quickly. "MDM technology is still immature, so what differentiates a product one day is a commodity the next," he said.