Mobile Device Management

For most of my career, I’ve been responsible for environments that have leaned heavily on Mobile Device Management (MDM) to help facilitate, drive, and streamline business objectives. Much of this experience has involved vetting, implementing, customizing, and maintaining various MDM platforms, and the devices they manage, to meet these objectives.

My motivation for doing a “deep dive” into MDM is that our team is asked about it regularly. Our clients want to know if they need it, what technical controls it offers, if it can be paired with BYOD environments, and if it meets their specific compliance and regulatory requirements.

To clear up any confusion right out of the gate, mainstream MDM providers typically support most device manufacturers and popular operating systems including, but not limited to, Android, iOS, Windows, and several Linux distributions.

The items I’ll be covering in this post may be discussed in broad terms, but you can rest assured that there is an MDM platform out there that will fit your organization’s specific needs.

Why Do I need Mobile Device Management?

There are hundreds of reasons why you should be considering MDM, but for the purposes of hitting the most common items, I’ll be focusing on the questions I mentioned in the intro.

Q: Do I need MDM?
A: The short answer is yes. In today’s digital workplace, with working from home becoming a standard practice for most businesses, you most definitely need a way to manage your devices. In organizations, large and small, losing the scope of control over device inventories is a pressing concern that could ultimately lead to serious business risks.

These risks are significantly heightened when you factor in equipment being shipped directly to employees during onboarding, potentially never stepping foot in your corporate office. Additionally, if you’re pursuing ISO 27001, SOC 2, etc., you’ll find that there are a few requirements around device management that can be fulfilled by MDM.

For instance, MDM can be leveraged to meet the requirements found in A.8.1 (Responsibility for Assets) of the ISO 27002 framework.

Q: What technical controls does MDM offer?
A: This is one of my favorite questions because the possibilities in terms of technical controls are virtually endless, and they are rapidly improving. Let me take a moment to make an example of a business problem I was once tasked with solving.

The problem was that we had recently migrated all of our user’s mailboxes from an on-premises Exchange server to Office 365 and we wanted a way to incentivize our user base to move over to the Microsoft Outlook app from their native email clients given its improved compatibility with Office 365.

Well, with MDM, this was a relatively simple proposition as we were able to deploy the app to all our corporate and employee-owned devices that had been enrolled in the MDM platform.

Additionally, we were able to preconfigure settings that would automatically sync email contacts to the user’s device, standardize the inbox view settings across the organization, revoke access to the app if the need arose, etc.

What this did was take a lot of the leg work involved in the setup process away from our end users which improved our adoption rate, and as a byproduct, it standardized a number of the support aspects encountered by our help desk team. Some other technical controls that can be leveraged are:

  • Geolocation Services
    • Can be used to send alerts when a device leaves a predefined geographic area
    • Log and report on GPS data in the event an employee in a fleet vehicle is involved in an accident for instance
  • Active Directory Integration
    • Streamlines device enrollment by leveraging users corporate accounts
    • Allows you to deploy applications and device settings to preexisting AD groups and organizational units
  • Remote Control
    • This gives administrators the ability to lock or wipe devices remotely when the need arises

Q: Can MDM be used in a BYOD or mixed-device environment?
A: Yes, you can leverage MDM in all types of environments.

If you’re in a 100% corporate-owned device environment or one that’s completely BOYD, simply set up your enrollment profile, desired system settings, and you’re off to the races.

In a mixed environment, you’ll want to consider setting up two separate enrollment profiles, one for your corporate-owned devices that has strong administrative controls, and another for employee-owned devices which would likely be limited to control over corporate-managed applications installed on the employee’s device, MDM push notifications, etc.

Q: Does MDM meet compliance requirements?
A: Yes, but this is dependent on the MDM platform you select and the effectiveness of your implementation configurations. To make a long story short, you should do most of your leg work and planning upfront to determine what your compliance requirements are as well as the corresponding technical controls, and then procure an MDM platform that can meet these requirements.

Conclusion
MDM is a powerful tool that can be used to facilitate critical information security, compliance, and business needs. If you have questions around choosing or deploying an MDM solution, you hould contact our vCISO experts to guide you through the process and help tie the implementation into your various compliance requirements.

Related post: Developing A Master Asset Inventory for SaaS Organizations