A mobile device management (MDM) system is to enterprise tablets and smartphones what a management console is to servers and desktop/laptop clients. With an MDM, you control, manage and protect the data and configuration settings on end users’ mobile devices, preventing the installation of unauthorized apps, protecting data, and if necessary, wiping a lost device.
We all know the benefits and plusses of BYOD: happy, more productive employees who get more work done, and the company gets to save money on having to buy more equipment inventory. But there are downsides, as well: data protection and management are issues. This is where MDM becomes a necessity.
"MDM can go a long way to balancing BYOD issues," said Bryan Taylor, research director for enterprise mobility at Gartner. "No approach today in the mainstream market is going to cover all those bases. They tend to be good enough for the vast majority -- what these tools offer will be good enough."
The fact is an increasing number of mobile devices (read: tablets and smartphones) are now carrying as much sensitive data and information as a laptop, so you need to secure them just like you would a PC. Today, MDM products try to protect data by closing holes in the apps and locking down the device, which are proxies for the real problem, said Taylor. "The tools that we have in MDM today are just adequate. This is just a stopping point. This isn't the way we will do things three to five years from now. Ultimately, the whole paradigm will shift toward more data protection," he said.
An MDM solution protects sensitive corporate data by enforcing corporate security policies. End users who want to access corporate data using their own mobile devices need to understand that while it is their device, it is company data and the company has a clear and apparent interest in protecting that data.
Unfortunately, a lot of companies are not having this conversation, said Jack Gold, president of J. Gold Associates, a mobile communications consultancy. "It's not just about the products you deploy but how you implement them. Equally important is telling those users up front about those policies, which most companies don't do. Very few communicate what employees should expect, which is important to get that buy-in up front," he said.
There's free MDM software out there, like Cisco's Meraki, Miradore Online, SpiceWorks and Microsoft's Office 365, which has basic MDM built in. But enterprises usually want more features than these basic apps, which are built around secure mail delivery and remote wipe. Good enterprise-class MDM software should at the least offer:
* Enforcement of passwords: Even a four-digit passcode is enough to stop most people from getting at the contents of a lost iPhone.
* Data loss prevention: The MDM should protect certain types of corporate data from being sent off the device by things like a USB port or email.
* Malware detection: Mobile malware has exploded, particularly on the more open Android operating system.
* Remote device lock/wipe: Mandatory. The ability to wipe a lost phone or tablet can be found even in free MDM software.
* Data encryption: Data should be encrypted not just on the device but when it is being transmitted back and forth via VPN, since these devices might be used on a public network.
* Jailbreak/root detection: It may be their device, but jailbreaking or rooting a mobile device bypasses many OS-level security restrictions and may also allow the user to bypass the MDM security policies as well.
Most MDM products have these features. So how do they differ? Well there are ways firms try to distinguish their products:
*Cloud support: Some MDM platforms are only on-premises, on dedicated servers or on an appliance. Some are moving to the cloud, like Tibco and IBM MaaS360.
* Integration with existing security management platforms. Some MDM products are stand-alone and separate while others offer integration with management platforms from Microsoft, IBM, HP, or CA.
* Enterprise content management. How do they handle enterprise content? Some use third party products like Dropbox while others use the internal content management solution.
* Mobile operating system support. iOS is the overwhelming corporate favorite, and Apple's alliance with IBM should further its lead, but you still want to see if there is support for Android, Blackberry, and Windows Phone.
MDM has evolved from basic device management into what many are now calling EMM, or Enterprise Mobile Management. MDM is a subset of EMM, or to put it another way, EMM is a superset of MDM and it's as mandatory as MDM.
"MDM was good enough in the days when we just used mobile phones as communication tools," said Taylor. "These days we use them more the powerful, personal computers they are. So one of your criteria should be if you plan to use these devices to mobilize business processes and not just features, you'll need to look at a bigger feature set than MDM gives you."
EMM features and functionality include:
Mobile Application Management (MAM): Probably the biggest difference between MDM and EMM. MDM does not manage apps, or not very well. MAM offers considerably more app management than a standard MDM.
A comprehensive, end-to-end MAM solution covers functions like controlling what is or is not installed on a device, version control and updating, app monitoring, user authentication, app wrapping (putting security features around the app it does not have), event management and use analytics.