Review: Mobile Device Management
- 20 May, 2013 13:36
With the rise of mobile computing -- first via laptops, then smartphones and now tablets -- the IT landscape changed within the enterprise. No more was IT just about the local network, WANs and security for desktops and servers: it now had to incorporate mobile devices, spanning all manner of manufacturers, operating systems, and platforms and to do so without compromising security. The sheer volume of devices and the different software they run is a natural antithesis to network security. Yet, these devices are integral to the way business works today, and so the IT department must adapt.
Which is why Mobile Device Management (MDM) is a rapidly growing and evolving segment: as more and more mobile devices in all their forms find themselves integrated into the business network, the need to manage and secure them only increases. And thanks to the BYOD (bring your own device) phenomenon, it's not going out of fashion. If anything, it's more essential now than ever before. According to a study by Forrester, 37 per cent of employees are using devices on a business network before formal policies are instituted. The study is from 2011, so imagine what it's like today?
It doesn't help that most BYOD products -- aka the type your average consumer purchases -- weren't designed for the enterprise, further complicating. Hence MDM solutions are now at their fore, and there are plenty on offer.
MDM is the catchphrase du-jour at the moment, but not without good reason. Mobile devices are a part of the workplace landscape and are inescapable so it's up to IT to both incorporate these devices and manage them within the security of the network. This can be no easy task, depending on the size of the business. Good MDM software typically aims to:
- Control configuration settings on a mobile device
- Protect business data
- Distribute updates and patches
- Monitor and build reports
- Reduce support costs
- Minimise risk
- Support multiple architectures and platforms.
And, of course, providing secure access to the network, which is ultimately also where the greatest risk lies: a compromised device connecting to the network could give free reign to unscrupulous software or individuals. And that's a fine line CSOs need to walk, providing business continuity through the ever-increasing role of mobile devices while protecting business data from the many and varied attack vectors mobile devices naturally provide.
The term ‘mobile’, also, spans an increasingly larger repertoire of devices: it's not just smartphones but also tablets, laptops, portable printers -- anything really that can connect to your network.
It gets complicated further by BYOD. While traditionally devices such as smartphones can be provided by the company -- in which full control and ownership is assumed -- this trend is slowly dying. According to a recent study by Gartner, half of all employers will expect employees to bring their down devices by 2017, with 38 per cent of surveyed CIOs in the study stating subsidised devices will be phased out by 2016. Importantly, it also notes that the number of employees using mobile applications in the workplace will double by 2015.
All of which makes the CSO's job more important than ever. It's one thing to set policy and full control over a corporate sponsored device, but how much leeway do you have over personal devices?
Naturally there has to be some give and take, and for MDM software to work client devices must install software to interact with the MDM solution. If employees are to BYOD, they need to submit their device to be both controlled and monitored via client software to ensure it complies with security policy for the organisation. Any employees refusing to use the software need to have their devices locked out of the network. In a world where data can be shared in seconds and distributed half a world away via the internet, it's the only logical route to take.
Security Information and Event Management is yet another utility in the CSO's toolbox, with the goal of reporting real-time security alerts from network hardware and applications. Technically SIEM is an amalgamation of Security Event Management (SEM) and Security Information Management (SIM), with the former focusing on monitoring and notification of events and the latter on the long-term storage, reporting and analysis of this data. SIEM products can be found as both managed software services and hardware appliances.
Ideally an MDM solution should integrate with SIEM services to consolidate event reporting and management and aid in incident response, not to mention simply providing improved response to events through SIEM dashboards and make to it easier to track policy compliance among the multitude of devices managed by MDM software.
Server and client
MDM solutions encompass a server component, which sends out management commands to mobile devices, and a client component which runs on the device itself. Typically a MDM vendor provides both, but some products will work interchangeably with others.
Beyond the local network, OTA (over-the-air) programming capabilities are considered a central component, allowing devices to be managed and controlled even while out in the field by responding to specially crafted binary SMS messages. The versatility of an MDM solution should allow the ease of management of single specific device, or a whole fleet of devices, through local and OTA commands. This provides for a device or a fleet of devices to be configured, updated, locked or wiped—even while out in the field—and thereby protect stored data. Lost or stolen devices are inevitable, so being able to remotely wipe a device is core to the MDM manifesto.
Just as there are a wide variety of devices, MDM software should be able to manage disparate telco service providers. Additionally some MDM products are cloud-based, and accessible via self-service portals. Typically these are good for companies overwhelmed by the rapid growth of BYOD products and prefer outsourced solutions, not to mention that they can save costs on dedicated server equipment.
By controlling and protecting data and settings for all mobile devices on a network this, MDM software can not only help minimise risk but also help reduce support costs.
However, given the wide scope of devices mobile now encompasses, and that every business has different needs, trialling MDM solutions is a must. Beyond examining how it will integrate into your current services offerings, it's essential to see how well it runs with pilot users and their devices and laptops in the organisation. Additionally, this can help adoption of an MDM solution too—with the pilot users becoming advocates for adoption of MDM in the organisation once it's realised that having BYOD devices fall under the purview of the IT department isn't as bad as it might initially seem. This does depend, in part, however, on how well the MDM solution makes enrolling and device management for users as seamless and painless as possible.
What to look for
What to look for when shopping for a MDM product is as varied as the companies and the mobile devices they encompass. Every business has different needs, different policies, and different budgets. However, we can distil the collective experience and wisdom of MDM solutions to provide a guide on what's important when considering a product, and the type of questions you should ask before you sign up with any one vendor.
Security: There are a range of standard features you would hope are included, but it's worth asking none the less. These include policy enforcement for both device and application configuration, remote wipe capability, being able to disable Bluetooth, restrict access to the phone's app-store equivalent, detection of rooted devices, server access policies based on user and device, and strong password enforcement. This is the bare minimum, but there's plenty more to look at as we cover below.
Password management: The ability monitor the quality of passwords used on remote devices: throwing up warnings for weak passwords for example that could compromise a device's security, or preventing them being set in the first place. Weak passwords are an easily mitigated security risk. What level of granularity does the solution provide for password management? Does it work the same way across all supported platforms?
Application management: being able to disallow access to a program on the device or remove it remotely on demand is essential, as well as preventing a known list of bad applications from being installed. If you don't have control over what applications can run on the device that might access network data, then you have no control on where that data is going. Can you set access privileges on the applications your business uses? Does it support all the device platforms in use?
Self-service options: At the same time it's helpful to let users take care of their own needs, especially as it can save on support costs. How easy is it for them to setup a new device themselves to access the network? Or reset or change their passwords? Is there a portal or automated process they can use to manage their device?
Simple device enrolment: Complexity breeds non-compliance, so does the product make it simple for users to install the client software and agree to your usage policies? Can it install, setup, and configure in one go and with minimal interruption for the user?
Selective wipe: In the event of loss or theft you want a complete remote-wipe, but the option for wiping only corporate data should be present too: this way if an employee leaves the company or they simply upgrade a device it can be cleaned of business data without impacting their personal data. Naturally, this should also preserve a user's personal settings, favourite apps, and contacts.
Flexible integration: Being able to plug into other enterprise tools you're already using, from data-loss prevention to Security Information and Event Management (SIEM). As the scope of MDM is ever expanding, being able to interoperate with a variety of other services you currently run is not just desirable but will often be essential. Ask the vendor if their MDM solution works with the services you're currently using.
Flexible policies: The ability to create user- or task-based policies as required to support business and an individual's needs. Can you segment application and network resource access based on device, user, or department?
Platform support: With the rate at which new smartphones and tablets are hitting the market, it's essential the MDM solution supports end-point software for the wide variety of architectures and operating systems. If your system supports Windows and Android but not Mac OS X, you're going to have some sad news for the department head who bought a new Macbook to use on the road.
Software distribution: Does the solution manage operating system patches, application updates, and anti-virus updates in addition to distribution applications and updating the end-point software? How easy is it to monitor and manage compliance for devices to be up-to-date, and can you segregate BYOD devices from company-owned products?
Scalability: While most MDM platforms will support thousands or tens of thousands of devices, what happens if you need to support hundreds of thousands or more down the track? Look at not just what your needs are today, but what they might be in future. How scalable is the product, how many devices can it manage?
Analytics and reporting: Beyond the status and security of managed devices, metrics on application and data usage can provide a valuable insight into how devices are being used by employees. This can tie into application management: if employees are sharing data through a third-party cloud app, you can only prevent or manage it if you know it's happening, not to mention help to reduce costs by ensuring bandwidth caps, SMS and voice thresholds with a telco are not exceeded.
Encryption: Encrypt corporate data and applications on a device as well as ensure encrypted communication between the device and the network. What level of encryption is supported? Is it enabled for every end-point and server transaction?
On-site or cloud: Depending on the size of your business and the disparity of your staff, a cloud-based solution may be preferred over an on-site installation. This can be more cost-effective for small companies and allows you to easily scale as you grow, not to mention tap into powerful management solutions that might normally be beyond the scope of your business by going with per-device subscription models to cloud-based services.
MDM is big business. There are over 30 vendors in the market at the time of writing with a wide range of offerings. We can't cover them all, but here’s our take on some of the more well-known players:
AmTel's list of features appears to tick every box, with support for the usual suspects of user self-enrolment, device tracking and app management as well as secure content sharing, call routing over a private network, and 'geo-fencing' to restrict app and device features (such as disabling camera or Wi-Fi) based on location. Platform support is good, though not as extensive as other solutions covered here. Still, the staples of Android, iOS, Blackberry and Windows Mobile/Phone are covered. For iOS integration with Apple's Configurator is supported, as well. AmTel's solution also includes extensive app management, secure document sharing, push messaging for emergency notifications, and cloud-based rapid deployment features.
AirWatch makes note of the size of the company and its extensive partners, which is almost as large the number of platforms it supports -- Android, iOS, Blackberry, Symbian and Windows Mobile/Phone 8 as well as vendor specific devices from HTC, Samsung, Lenovo and even Amazon's Kindle Fire. Simple wizards make it easy for users to enrol their devices, while web-based dashboards give administrators ample data on compliance, asset management, and data usage. Various privacy features allow corporate and personal data to be separated on devices, while a self-service management console for users helps to reduce the burden on IT for device management. Paired with the AirWatch Mobile Content Management service, the MDM solution is expanded with collaboration and sharing features, public and private secure cloud storage, and encrypted and secured access to corporate data and services.
Formerly Zenprise, this well-known product sports an enterprise app store that allows users to install administrator-approved apps, and includes its own 'app containers' to separate business apps and data from personal ones on a device. All the usual suspects are supported including Android, iOS, Blackberry, Symbian and Windows mobile/Phone 7, but desktop OS versions are not. Simple provisioning and self-service enrolment takes some of the headache out of adding new devices, while at the other end of the spectrum decommissioning features make it easy to manage lost, stolen or replaced devices in an auditable way.
XenMobile MDM is actually just the core MDM product, for features such as application identity management, secure browsing and remote access, and Microsoft SharePoint integration the full Mobile Solutions Bundle is provided, which pairs XenMobile MDM with the Citrix CloudGateway service.
Similar to LANDesk's solution (below), IBM's Endpoint Manager for Mobile Devices is just one component of a range of endpoint products by big blue such as its Lifecycle Management, Software Use Analysis and Security and Compliance suites. The Endpoint Manager for Mobile Devices supports the core features of inventory management, an enterprise app store, location services, and security features such as encryption, remote wipe, and policy enforcement. It has perhaps one of the more extensive lists of supported platform coverage that encompasses Android, iOS, Blackberry, Symbian, Windows Mobile, Windows Phone and all of Windows, Mac OS X, Linux and Unix for desktop clients.
LANDesk's suite is a collection of tools from its Total User Management solution which include Inventory Manager, Mobility Manager and the core Management suite. Full support for device discovery, enrolment, and policy enforcement can be had across a range of platforms that include Android and iOS, but not BlackBerry, Symbian and Windows Phone. Conversely, it supports all desktop platforms in Windows, Mac OS X and Linux. Additionally a self-service portal allows users to perform basic management of their device, while administrators have access to a plethora of tools including an extensive management and reporting console that allows you to easily view, report on and distribute software to managed devices. The Mobility Manager is considered an extension of the core LANDesk suite, which also means it works seamlessly with other LANDesk products such as Anti-Virus, Data Protection, Service Desk, and Asset Lifecycle Manager.
MaaS360 supports the full gamut of mobile platforms with end-point clients for Blackberry, Symbian, Windows Mobile, Windows Phone 7, and of course Android and iOS. It also supports Mac and Windows desktop OSes, including Windows 8, so it can encompass laptops and Windows tablets. It also bundles a 'Secure Browser' for all platforms that allows secure access to intranets and corporate networks without a VPN, along with the similarly titled Secure Mail and Secure Document Sharing to do the same. Device enrolment can be done via a custom URL, email or SMS and beyond the usual suite of security features also allows geo-fencing to enforce compliance based on location, while an emphasis on expense management allows for easy monitoring of data usage and telco plans.
MobileIron has made a name for itself as a leader in the MDM ecosystem, providing wide platform support with a focus on Mac OS X to bring Macs under the BYOD banner. Its iOS support is extensive as well, allowing full control to track and distribute approved iPhone and iPad apps. It's no slouch with other platforms however bundling Android, Blackberry, Symbian and the latest Windows Phone 8 support as well. An integrated enterprise app store helps track and secure apps on mobile platforms, while an application distribution engine allows fast access to custom corporate apps. A management and reporting console called MobileIron Atlas provides extensive overview of managed devices, status reports, identification and troubleshooting of issues, and custom reporting. Like other solutions here, MobileIron also includes secure browsing, email and document storage tools, along with Microsoft SharePoint integration.