Selecting the Right Mobile Device Management (MDM) Software
Smartphones and tablets have made their way into the enterprise and they are here to stay. Whether it’s BYOD or company-owned devices, sysadmins struggle with managing these devices and controlling access to company data. If these mobile devices are not properly managed they can pose huge security risks to your company’s network and data.
Mobile Device Management (MDM) software can manage your devices, push down security policies, prevent access to resources, and basically secure your company’s assets as much as you need it to do. Like with everything else, mobile device management software can range from bare bones manageability to high-end, practically lined-with-gold software that has all the bells and whistles. For those already using Exchange Server 2010 or SCCM there is even the option of using the ActiveSync policies within Exchange or using the SCCM 2012 Mobile device polices to manage these devices.
Mobile Device Management: What to Consider
You have a small buffet of MDM software from which to choose, so it can be difficult to know where to start. That’s where I step in with my list of things to think about when considering an MDM solution.
1. Device standards – What type of devices will be allowed to access the company’s resources? Are you planning on only allowing idevices, such as the iPad & iPhone or allow a range of devices like Androids, Blackberry? Having a defined list of what you are planning to support will set the expectations up front on what you can and cannot support which can limit which MDM to choose from. Not all MDM software are created equally, some have limited support for Android devices, and this could impact your ability to support them if they are chosen.
2. Restrictions and protection – What restrictions do you need and what will you allow the devices to access? What do you want to protect on your network? This is an important question to ask yourself because it defines what your real intent is. Here are some other questions to consider:
- Are you only concerned with company email residing on mobile phones?
- Are you concerned about other data such as documents and photos being stored on devices or syncing to the cloud?
- Are you concerned about screenshots of data from mobile phones?
- What kind of resources will you allow access to? Allowing access to resources is just as important as preventing access.
- Do you need a MDM solution that will allow or prevent company email from being sent from a personal account on a mobile device? If it’s a BYOD policy, will you still control access to downloading of apps or will you have a separate policy for company owned devices?
- Will you require passwords or enforce screen lockouts?
- Will you treat personal devices differently than company-owned devices?
- Do you care what the devices access?
Bring Your Own Device (BYOD) or company-owned devices – Allowing users to bring in their own devices or BYOD can be risky, not only from a security standpoint but also for supportability. If you plan on incorporating BYOD, is your support staff ready and able to help the users? Will BYOD users be under the same rules as your company owned devices? What happens when an employee that is BYOD leaves the company — do you wipe their device or perform a selective wipe, removing only company data and preserve their personal data? Having these questions answered can help narrow your selection of MDM software because some of them may not be able to do selective wipe.
Developing mobile applications – If you are currently developing mobile applications you will need to consider how you want to deploy those apps to the devices. Choosing an MDM solution that has a built-in Enterprise Apps store can provide you with an easy way to deploy apps to your users’ devices.
Wireless LAN or VPN access – Just about every mobile device out in the market has the ability to connect and use WiFi. Allowing devices to connect to corporate WiFi can cause additional headaches for an administrator (as I have personally experienced). When connecting mobile devices to the corporate WiFi account, the devices can have access to internal network resources such as SharePoint. If your SharePoint sites are using any type of integrated Windows authentication, users maybe prompted for their username and password when accessing these sites. This can cause some user confusion and unwanted help desk tickets because users are not aware that is this “normal” on non-Windows devices. Another concern with accessing the corporate network is that the devices now have the ability to access the Internet through your network. If you’re company uses a web filter, those filters may not work on the mobile devices, hence allowing your users to access non-business sites or stream Internet radio.
Demos and Proof of Concept
Once you’re ready to start evaluating software, I would recommend doing demos or Proof of Concepts with multiple vendors. Going through a Proof of Concept will weed out what you want vs. what you really need. Most vendors will allow Proof of Concepts or demos. Some good ones to start with include the following:
- McAfee Enterprise Mobility Management
- Good for Enterprise
- AirWatch’s Mobile Device Management
- MobileIron’s Mobile Device Management
- BoxTone’s Mobile Device Management
Keep in mind that even after using particular MDM software there may be a point in which you will need to switch to different software based on changing business needs. There are dozens of solutions out in the market from which to choose, and they all have their pros and cons that you’ll need to review based on your company’s needs and requirements.