barefoot cybersecurity

security… mobility… cloud… technology… whatever…

Leave a comment

Mobile Device Management 101

Like it or not, smartphones and tablets are all over our enterprise networks. Users now expect to be able to carry around their mobile devices and have instant access to their corporate email account and documents. As business leaders we mostly embrace this change and welcome mobility into the work environment. We want to empower our users to work from anywhere and increase productivity levels using technology they enjoy carrying. However, those of us with at least one foot in the security department understand the greater risks of letting users loose to roam the globe carrying the companies’ most sensitive information on the world’s most steal-able devices.


Times where that only remote users and exec level employees would be issued with a company owned device. But when a technically savvy general population where able to buy their own smartphone and Apple devices started to make their way into the boardroom, we saw the introduction of BYOD. Bring Your Own Device. The move towards mobile working for all is here.


BlackBerry brought mobile email to mass business market so we installed enterprise servers to enforce some security and increase user experience (who needs to know how to configure an IMAP server on a phone anyhow?). The landscape has changed and most businesses trying to manage devices from Apple, Samsung, BlackBerry, Nokia to name a few, will struggle without some kind of enterprise software solution to roll out configurations and enforce security.

This is the primary function of a Mobile Device Management (MDM) solution. Manage which devices belong to each user and configuration policies based on various criteria. For instance is the device owned by the company or the employee, what is its operating system and what is the confidentially level of the information the user is accessing. These policies are enforced with rules that specify the consequences of being out of policy including blocking further email to the device or sending SMS and email notifications to the user and IT administrators informing them of policy violations.

Furthermore leading MDM solutions understand the source of the data residing on each device and therefore which data belongs to the user personally and which belongs to the business. This is extremely useful when an employee leaves the business to ensure that not only is their access to corporate resources revoked but the companies data residing on their device is wiped whilst preserving the user’s personal email, docs, photos and music. This is known as a selective wipe of the device which may be done in preference to an entire wipe of all data if, for instance a device was permanently lost.

Basic security

According to, $2.7 billion worth of smartphones were lost in 2011. It’s fair to say that the majority of those phones did not have even the most basic of security measures applied, a simple PIN code to protect privacy. Businesses today invest money and effort enforcing data leakage controls on their networks to protect company information so it stands to reason that if a user is to read their corporate email on their phone, a security policy should be applied. Of course you could just tell a user to please enable a PIN and encryption but it would be impossible to police against users turning it off because of the inconvenience. MDM enforces these policies and has the capability to wipe all the corporate data if users do not comply.

WiFi/Email/VPN Settings

Imagine the time and effort involved in supporting every new user on multiple difference mobile operating systems configure their Exchange email account, connect to the WiFi, configure the VPN. With MDM, these configuration settings can be distributed, over-the-air to each new user that is registered on the MDM server.

Application Control

Another key benefit of MDM is the integrated ability to manage mobile apps for business users. Businesses typically want the ability to securely manage which mobile applications are installed on their devices. Administrators select which applications are required, allowed or disallowed. The company’s preferred CRM and VoIP app may be recommended to all uses whilst it difficult to think of good reason why Angry Birds should be installed on a company owned iPad!

Document Control

Then there is the Dropbox problem. Unless users are provided legitimate methods to carry around the documents they require, the will inevitably find an alternative way. Dropbox and Gmail give users exactly that opportunity which is why leading MDM solutions provide access to, storage and viewing of documents from email and SharePoint and enable the business to protect these documents from unauthorised distribution.

…and the rest

Of course, MDM can deliver much more. Depending on the solution used, you may disable certain features like the camera or Bluetooth on company owned devices. Ensure that devices only connect to WiFi networks with adequate security and can be located on maps if lost. Often there are cost control features to warn or prevent excessive usage and roaming charges. The detection of jailbreaked or rooted devices that are more susceptible to malware is another important feature.

In all of this, it is key to remember to work with a vendor that can support all your operating systems and preserve the user experience. One thing is for sure, today’s users are as smart as their devices and if their user experience is spoilt by a poor implementation of MDM, they will look for a way to bypass it.