Getting control over a mobile device management (MDM) deployment has several key components, starting with understanding the fractured nature of the mobile devices themselves, finding the right level of security and usage policies, and implementing the infrastructure needed to support MDM platforms, according to experts.
MDM technologies create a cross-platform layer that IT can use to secure, monitor and support mobile devices used by employees, even if the devices aren’t owned by the company.
For one, built-in management tools, particularly for the market-leading Android and iOS platforms, were initially created with consumers—not enterprises—in mind, according to Christian Kane, an analyst for Forrester Research Inc. in Cambridge, Mass.
“There’s a big challenge because most MDM solutions leverage the native APIs [application programming interfaces] or management hooks built into the operating systems of the devices,” Kane said.
“So IT then has to look for better controls around data and applications, which you don’t really have in a consistent form today—just given the diverse landscape of platforms and how apps are currently developed,” Kane added. “That makes it tricky.”
A Complicated and Fractured Nature
IT pros charged with managing mobile devices must work through various releases of multiple operating systems such as iOS, Android, BlackBerry and Windows Phone. These systems typically also reside on various models of hardware from different manufacturers.
For example, although Apple’s iOS is almost the same on iPhone 4 as it is on the iPhone 4S and the iPad, Google’s Android splinters off in different directions. Some Android-based phones and tablets running Honeycomb 3.x may not be upgradable to Ice Cream Sandwich 4.x, and new smartphones and tablets often run customized versions of Android.
“It can be very confusing,” noted Mark Jordan, senior product manager for Sybase Afaria.
Plus, he explained, the device manufacturers often deliver their own methods for managing the devices in enterprise environments, using different APIs or encryption, which can even vary among their own products.
MDM technologies can help enterprises manage all of these dizzying types of operating system, hardware and configuration possibilities.
Forrester’s Kane said there are approximately five dozen MDM platform vendors with such options. SAP’s Sybase Afaria is often considered by Forrester’s clients, he said, particularly organizations that use other Sybase products or SAP ERP systems.
For more on mobile device management:
Read about the development of the Sybase Unwired Platform ecosystem
Learn more about SAP’s roadmap built around mobile, cloud, and in-memory technology
Because today's market-leading “bring your own devices,” or BYODs, were first aimed at the consumer-oriented experience, MDM platforms have to find secure methods to sandbox corporate assets from a constantly changing range of apps and device features, according to Kane.
For example, both Google and Apple offer their consumers app stores full of consumer-oriented apps, and both iOS and Android are designed to let smartphone owners buy and install their own apps, at will, at any time. Some apps are not secure or may let employees expose private corporate data too easily. In addition, smartphones can be completely backed up to unsecure consumer-owned PCs or cloud-based services that are beyond the control of the enterprise.
Because of these complexities, Forrester is seeing firms start by starting with company email, contacts and calendaring.
“They just want to get familiar with the devices, to get baseline policies set around security, to get a PIN on the device, to be able to wipe it, and then work through their mobile app strategies,” Kane said, noting that these basics are a critical starting point for companies unsure where to begin.
Two Sides of the Coin
According to Jordan, the first obstacle a company must hurdle is ensuring it has a comprehensive security plan in place.
“Before IT can put any type of corporate asset on a device, IT has to have security,” Jordan said. “The other challenge is configuration.”
Security typically starts with a strong password or PIN to unlock the device, which some MDM systems can help enforce. Other key security factors MDM implementors should consider include the following:
- Data wiping. If a device is lost, stolen, or an employee leaves the company, data and access can be removed remotely. Selective data wiping lets a company wipe only the enterprise-related data, leaving the rest of the device intact for the BYOD owner.
- Jailbreak detection. “Jailbreaking” (also called rooting) a device occurs when someone hacks the phone in order to bypass security and configuration controls and install apps or use the device for purposes unintended by the manufacturer. Jailbreaking can also reduce IT’s ability to manage the device.
- Virtual private network (VPN). If a company wants secure connections between devices and corporate assets, an MDM system will need to work with existing VPN systems and bridge gaps between various devices to enable secure access.
- Encryption. Some devices can encrypt data at rest while others can’t, and MDM technologies can help IT organizations enable encryption applications.
The ability to configure devices, report on those configurations and make changes to fix, warn or remove access is where MDM technologies really shine, Jordan said. The best MDM platforms offer over-the-air configuration and report back with real-time inventory configurations to protect against unsecure or “blacklisted” applications. For example, some companies blacklist cloud-based storage technologies because it’s so easy for employees to store sensitive information that’s out of IT’s control. For instance, few organizations would trust a salesperson’s price list or customer contracts enough to store them in a consumer-oriented cloud storage account.
How do MDM Platforms Work?
As enterprises strive to deliver apps and data to mobile employees by means of increasingly powerful smartphones and tablets, the challenge to secure sensitive corporate data is driving the implementation of mobile device management (MDM) solutions—and according to Cambridge, Mass., analyst group Forrester Research Inc., to implement an enterprise mobile strategy, companies must usually invest in an MDM system.
“This essential technology lets IT infrastructure and operations professionals support multiple platforms and form factors, extend management and security policies to both corporate-liable and employee-owned devices and automate service desk support,” explained Forrester analyst Christian Kane. “We’ve seen significant traction of MDM solutions in the last few years. It’s been fueled by the entrance of new consumer devices—iOS and Android—and enterprises are feeling they need to get a handle on them.”
MDM technologies typically use a server to provide secure communications to and from the devices, and let them connect to enterprise data and applications. MDM often includes over-the-air application distribution, portal-type access for enterprise applications and client-side mobile applications that let the MDM management tools monitor, communicate with and wipe lost, stolen or insecurely modified devices.
Meanwhile, the desire to extend enterprise applications is leading to the need for more complicated MDM deployments.
“We’re seeing a lot of enterprises adding applications exponentially,” Jordan explained. “We’re seeing the typical MDM market going more toward mobility management, and that’s broader than device management. There is also application management, content management and expense management, and these are coming into the device management fold,” he added.
Servers to the Rescue
To let mobile devices integrate fully with enterprise applications and data—far beyond the relatively shallow delivery of email—MDM platforms solutions typically overcome the challenge by requiring companies to install a server between the devices and the enterprise apps and data.
In the case of Afaria, Sybase’s solution is to use “relay servers” that use DMZ gateways to let secure communications into an enterprise network—these remove any need to push inbound ports into the network. “Everything is outbound through the DMZ, so you have secure communications with your devices,” Jordan explained.
According to Oliver Rogers, a London-based NetWeaver consultant for Bluefin Solutions Ltd. who has been working on mobile device technologies for clients, the desire to access specific SAP-based enterprise applications, however, can increase the number components a company will need to implement—especially when it comes to custom enterprise applications. These applications are typically already behind firewalls and are only accessed internally.
“This means that the type of security imposed on these SAP systems—no Internet access, limited virus scanning—is all geared for attacks that would only come if someone breached the internal network. Or there is no security there at all, just user accounts to restrict authorizations,” Rogers said.
“Obviously, when you want to mobilize the process and/or data, then you need to expose this somehow, and this is where products like the Sybase Unwired Platform come in, as it provides security and encryption for both data at rest and data in transit,” he said. “This does require additional infrastructure and this can sometimes be a great headache trying to secure it as it will be exposed to the outside world.”
Slow and Steady
Despite the benefits of enterprise control over mobile devices that MDM packages bring, Rogers said that some companies still prefer to invest in more custom and focused apps in the hope that a less-managed device—that’s still secure—will increase user adoption. This was the case for one company he worked with.
“Not using mobile device management software means that we actually have no control over the device. So the application needs to be a secure sandbox that can be remotely deactivated without any effect to the users' other apps or their phone,” Rogers explained. “It also means that we had to build in detection for jailbroken phones and provide an alternative method to provision the application to the device.”
While not all the desirable enterprise controls are built into mobile devices today, Forrester recommends that companies start slow and roll out access using a staggered approach, beginning with a single mobile policy that covers both corporate and employee-owned devices.
“A really big chunk of this effort, though, will be on the nontechnical side, really understanding how employees interact through these devices to get their jobs done, and then figuring out your mobile policy—the written policy and corporate approval,” Forrester’s Kane noted. “Joining the technology capabilities together with a mobile policy is the most important part—and really the most difficult.”