Mobile device management at the application layer
In this era of tech-savvy business people using their personal devices to work, employees are concerned that if they lose their device — or if it’s stolen — the company will wipe it clean to protect any sensitive company data. Now, it’s not a mobile device management (MDM) manager’s job to care if a few personal pictures get lost, but they should realize that end users do care, and as a result might attempt to circumvent the MDM to keep their personal contacts, photos, and other information safe.
MDM suppliers are looking to secure smart devices from the application layer because of this shift in mentality to keep personal and corporate information separate. It’s a double-edged sword, because employees want an unobtrusive tool that doesn’t contain a lot of oversight but also allows IT to stay up-to-date on their organization’s security requirements.
Can you be non-intrusive and secure?
The most requested feature of 2012 we heard from customers was the ability to wipe corporate data off of a device without deleting the contents of the entire device. That’s been the problem so far with most MDM solutions – they treat the device as a single container and make it work in a way that the organization dictates. With the shift to managing the applications, you give the user a chance to use the device as they intended, while allowing for extra management of content and security.
One problem that arises when you look further into application management is that app markets like the Google Play Store do very little in terms of vetting applications before they’re made available to the public. Though they’re making a more concerted effort now than a few months ago, the amount of oversight is still fairly low. From an MDM perspective, if you knew the name of an application you could add it to a blacklist, but malicious applications tend to multiply by the thousands every day. It would be nearly impossible to block them all.
But it’s rare for organizations to maintain an extensive application blacklist. Firstly, it’s a lot of work, and secondly, it’s obtrusive to the user. And while a manager might not care if an employee can’t play Angry Birds, a disgruntled user might try to find a way around it and end up compromising your infrastructure’s security.
It seems as though all MDM solutions were eventually leading up to this point — every revision of mobile operating systems give more capability to the MDM side of the equation. Mobile operating systems have become a lot more enterprise-friendly than they were six months ago.
What kind of MDM solutions exist?
AirWatch started out as a traditional mobile device management provider, but they have created a very large, full featured suite of services when it comes to application and content management. Good, on the other hand, was first conceived as an ideal system for mobile application management (MAM) because it containerizes corporate information (email, contacts, calendars, etc.) and places it into a specialized application that is double-encrypted.
That seems to be where the MDM industry is heading. Samsung, for instance, is offering an enterprise mobile solution called KNOX that aims to create an absolutely hardline separation of corporate and personal data.
On the Apple side, there is already very aggressive sandboxing of applications so they are unable to communicate unless explicitly allowed. Without that ability, it takes conventional endpoint protection out of the loop because it ensures that typical breaches in security (viruses, for example) can’t happen. Android is not as aggressive, but BlackBerry is embracing it in a big way.
How do I choose an MDM solution?
For organizations considering implementing an MDM solution, the best way to start is to have a mobile device policy already written out. When you already have rules laid out for your end users, it will be a lot easier to vet one vendor from another. It’s also important to recognize if your organization deals with electronic health records (HIPAA) or the military, because you’ll have to adhere to specific encryptions and security protocols.
How complicated is it to set up?
For the MDM administrator, application management is simple to set up. It’s just a matter of specifying the applications they anticipate a user will use and then push that down through MDM enrollment. With platforms like AirWatch and MaaS360, this takes an administrator about six clicks.
In the end, the shift toward application management is a good thing. Users typically don’t mind if they’re managed, they just don’t want to be conscious of that fact. They want to use their devices as they were intended to be used, without their organization dictating their use. It’s intrusive and, in the end, defeats the purpose of a smart device.