How does mobile device management (MDM) work?

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Enterprise IT and security teams are stretched thin by the growing number of mobile device types invading the enterprise -- many owned by employees -- the variety of OSs and the sheer volume of mobile apps users are requesting. Questions abound.

How, for example, will IT ensure corporate intellectual property remains intact? Who has responsibility for updating, distributing and securing mobile apps being developed by various departments and/or geographic divisions? How do enterprises gain an acceptable balance of security and corporate resource-access across all of the leading mobile platforms (Android, BlackBerry, iOS and Windows Phone)?

CLEAR CHOICE TEST: How to protect smartphones and tablets

GARTNER: How to get a handle on mobile device management

Organizations seeking to address these issues are increasingly turning to mobile device management (MDM) software. The MDM market is evolving rapidly, meaning vendors that previously had first-mover advantage have had to evolve to support new platforms and the enterprise's shifting needs. In addition, new disrupters have tried to enter the MDM space with repurposed product, primarily from adjacent markets such as mobile services management (MSM), mobile security (endpoint/VPN), and telecom expense management (TEM).

Regardless of its origin, the complete MDM solution should address the complete enterprise mobile security, device, data and app life cycles.

Securing enterprise mobility with MDM typically involves four primary phases. Phase 1 focuses on provisioning, during which devices "inherit" an enterprise persona, as determined by the mobile IT and security staff in charge of enterprise mobility. This phase includes leveraging all existing corporate network infrastructure to help avoid resource complexity and duplication.

Many of the devices being provisioned are personally owned mobile devices that are also used for business apps. This bring-your-own-device (BYOD) trend is one of the more dramatic results of the consumerization of IT, in which consumer preference, not corporate initiative, drives the adoption of technologies in the enterprise.

Mobile IT has increasingly allowed BYOD to drive employee satisfaction and productivity through the use of new technologies, while simultaneously reducing mobile expenses. However, many newer smartphones, tablets, and their apps were not built with enterprise requirements in mind, so IT teams often feel uncomfortable about security and supportability. [Also see: "Can employee-owned devoices save companies money?"]

BYOD has many complex and hidden implications, such as the need for privacy policy, separate policies for corporate vs. personal devices, and certificate-based identity, for which a strategy needs to be defined in advance of implementation. For example, MDM software ideally uses an enterprise's existing certificate authority to secure the device, thus leveraging security and network investments IT has already made. In fact, the MDM software can serve as the centralized certificate authority server for corporate resources, including ActiveSync (email access).

Phase 2 involves the mobile IT team actively managing all devices -- phones, tablets, iPod Touches, etc. -- to help ensure the original enterprise persona remains intact. At this point, users are given wide-ranging access to corporate resources, including apps, email, secure directories and even cloud-based file storage. Ideally, the mobile IT team has also published a corresponding "declaration" to its mobile users, outlining what is permissible (e.g., using your device for non-business gaming) and what is not (e.g., downloading a virus-laden open-source game).

When new devices are added to the enterprise, the existing persona is literally imprinted via MDM software before the device can gain access to corporate resources. MDM controls different levels of business permissions, including those derived from LDAP and Active Directory, so that rules and policies are granularly defined based on an employee's role, division or seniority. For example, a company implements different security policies for senior executives in finance than it does for entry-level sales staffers.

Lastly, with the growing use of open source apps and operating systems, mobile IT can easily deny access to the corporate network based on the security posture of the device, denying network access to compromised (jailbroken or rooted) devices, app permissions (including whitelist and blacklist) and policy sharing, so new mobile apps have enterprise permissions "pre-baked" before deployment.

In Phase 3 mobile IT is now responsible for managing mobile apps for business users. In this phase, mobile IT management must address a nearly infinite variety of apps, devices, personas and operating systems. MDM helps solve this complex set of issues, including the ability to deliver a private, company-specific enterprise app storefront. This corporate application library is discoverable and provides both the tightest security and best end-user experience for the distribution, inventory and delivery of mobile applications companywide.

Last, Phase 4 of the continuous MDM software life cycle has users limiting their costly mobile service plan overages with the help of MDM software application programming interfaces (APIs) designed to detect and reduce international plan overages. Of the millions of the Fortune 1000 enterprise users depending on MDM software, a majority of them experience international plan overages measured by $10,000 or more per month.

Of course, when the user leaves the company, the mobile IT group uses MDM to simply remove the enterprise, personal and all accompanying permissions to protect their intellectual property. MDM software accomplishes this task on employee devices (BYOD) by means of a selective wipe, ensuring that no pictures, music or other non-work files are removed. For corporate-liable devices, MDM software offers a complete wipe and device "retirement" before it can be re-enabled for a new user.

MDM software has clearly become an indispensable tool for mobile IT as all of these enterprise devices undergo rapid consumerization. In closing, the recent Forrester "Consumerization Drives Smartphone Proliferation" report validates three MDM trends:

1. Consumerization is the dominant force in smartphone selection. Seventy-seven percent of smartphones used at work are chosen by an employee, and 48% are chosen without regard for IT support. That means only 23% of the smartphones used at work in the U.S. are delivered as a take-it or-leave-it device by IT. And three-fifths of that 23% are BlackBerries.

2. Consumerization means choice, which means Apple and Android devices. RIM still has a plurality of smartphones in U.S. companies and organizations with 42% of the installed base. But together, Android (26%) and Apple (22%) have a bigger slice of the workforce market than does RIM. The force of consumerization becomes even clearer when you see that when people choose their own phone, 59% choose Android or Apple while 25% select BlackBerry. [Also see: "Mobile device management: Apple's extra little tricky requirement"]

3. Consumerization also means that employees are willing to share the cost burden. Employees pay all (48%) or some (9%) of the cost of the smartphone they use for work. They also pay all (40%) or some (14%) of the cost of the monthly bill. While there is no guarantee that every employee wants one phone for both work and personal use, it's clear from the data that a majority of U.S. information workers today are willing to share the cost and the benefit of a smartphone used at both home and work.

Enterprise IT and security teams ultimately need MDM software to keep secure pace with the growing complexity of device types, OS options and sheer velocity of mobile apps in their user's hands.

MobileIron's purpose-built MDM software provides global companies with a highly scalable solution for mobile device management, security and enterprise app storefronts and was positioned in the Leaders Quadrant of Gartner's Magic Quadrant for Mobile Device Management.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

More about AppleBlackBerryetworkGartnerGoogleLANMobileIronResearch In Motion

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Adam Stein, marketing director, MobileIron

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place