Security Manager's Journal: Siccing MDM on personal mobile devices

We looked into mobile device management (MDM) in 2012, but the time didn't seem right. Now, some 18 months later, things have changed, and MDM is looking more like a good fit for us.

Trouble Ticket

At issue: Too many personal smartphones, tablets and PCs are being connected to the network.

Action plan: Take a new look at mobile device management to see how effective it can be at reining it all in.

There's no question that we need better control over the plethora of personally owned mobile devices connecting to our corporate network and accessing applications that contain sensitive company data. Naturally, we have policies that forbid users from connecting a personally owned device to the corporate network, but they aren't enforced. As a result, we have too many personal iPhones, iPads, Androids and PCs on our network.

Back in 2012, we didn't feel that the MDM market was mature enough to fork over up to $300,000 per year to solve a problem that was somewhat mitigated by existing technology and processes. The mitigation came in part from the fact that users need a domain account to connect to our corporate wireless access points. We don't advertise the SSID and we have a strong password that enables encryption. But the "security by obscurity" approach only goes so far, and it didn't take long for employees to spread the word about how to connect personally owned devices to the corporate Wi-Fi network.

As I said, the MDM market just wasn't mature a year and a half ago. There was talk of buyouts, compatibility issues and a lack of features. We couldn't find enough satisfied customers to make the investment seem worthwhile.

Much Has Changed

Today, though, prices have dropped, and the market has matured. What's more, our recent deployment of network access control (NAC) technology should complement an MDM deployment.

NAC is aimed at the desktops on our network. We're still working out the kinks, trying to eliminate false positives and establish a process for exempting certain devices. When we do turn on enforcement and start blocking non-corporate devices, we want to use MDM as the control point for the identification of registered mobile devices.

MDM will help us enforce our current mobile device policy: We can set it to accept only "strong" passwords and to initiate device lock after a defined period of inactivity. We can also use it to wipe devices that go missing.

Even better, though, MDM will let us extend our policy to identify unlocked or jailbroken devices and require compartmentalization of data. (Compartmentalization involves the separation of personal and corporate data; it will provide some flexibility, so that when an employee leaves the company, we can wipe only our company's data and not any of the employee's personal data.) We can also create a corporate application store, which means that when an employee leaves, we can just wipe the data associated with those corporate apps, leaving personal apps alone.

So here's the vision: Once NAC and MDM are in place, we will be able to easily identify any unregistered devices and bar them from the network. If users want to register any of those banned devices, they will have to comply with the security policy in exchange for seamless access to our network and to certain applications.

I'll let you know how close we get to achieving that vision.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join the CSO newsletter!

Error: Please check your email address.

Tags securitymobile

More about Apple

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts