Enterprise Mobile Device Management



Enterprise Mobile Device Management











PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The
reader is available for free
download.

Enterprise
Mobile Device Management

by James G. Barr

Copyright 2021, Faulkner Information Services. All
Rights Reserved.

Docid: 00011508

Publication Date: 2110

Report Type: TUTORIAL

Preview

Mobile Device Management (MDM) typically incorporates the provisioning,
support, configuration, security, compliance, and management of mobile
devices. Devices can include a diverse number of endpoints, such as
smartphones, tablets, and laptops – both corporate-owned and personal. MDM
generally involves pushing updates to mobile devices, identifying
non-compliance issues, and remotely wiping lost or compromised devices.
However, MDM must also address data management, especially with the rise
of both covert and overt Bring Your Own Device (BYOD) usage within the
enterprise.

Report Contents:

Executive Summary

[return to top of this
report]

Mobile Device Management (MDM) typically incorporates the provisioning,
support, configuration, security, compliance, and management of mobile
devices.

Network Management Systems
Market Trends

Devices can include a diverse number of endpoints, such as smartphones,
tablets, and laptops – both corporate-owned and personal. MDM generally
involves pushing updates to mobile devices, identifying non-compliance
issues, and remotely wiping lost or compromised devices. However, MDM must
also address data management, especially with the rise of both covert and
overt Bring Your Own Device (BYOD) usage within the enterprise.

Security Features

Essential MDM security features include:

  • Mandatory password protection
  • Jailbreak detection
  • Remote wipe
  • Remote lock
  • Device encryption
  • Data encryption
  • Malware detection
  • VPN configuration and management
  • WiFi configuration and management1

EMM & UEM

Over the past few years, the Mobile Device Management concept has been
expanded and rebranded by some providers into Enterprise Mobility
Management (EMM) and, most recently, Unified Endpoint Management (UEM).

Gartner, which promotes the UEM brand, “defines the unified endpoint
management (UEM) tool market as a set of offerings that comprise mobile
device management (MDM) and modern management of traditional endpoints
(PCs and Mac).” UEM includes – in fact, emphasizes – “integration with
client management tools (CMTs) and processes.”

Description

[return to top of this
report]

Mobile Device Management, like its successors, Enterprise Mobility
Management and Unified Endpoint Management, was developed in response to a
wide variety of mobile device threats. As itemized by US National
Institute of Standards and Technology (NIST), these threats include:

  1. Exploitation of Underlying Vulnerabilities in Devices
  2. Device Loss and Theft
  3. Accessing Enterprise Resources via a Misconfigured Device
  4. Credential Theft via Phishing
  5. Installation of Unauthorized Certificates
  6. Use of Untrusted Mobile Devices
  7. Wireless Eavesdropping
  8. Mobile Malware
  9. Information Loss Due to Insecure Lockscreen Configuration
  10. User Privacy Violations
  11. Data Loss via Synchronization
  12. Shadow IT Usage2

While certain of these threats, such as actually preventing device loss
or theft, are beyond the scope of MDM solutions, MDM remains an essential
element of mobile device control and security.

MDM Use Cases

As revealed in the Best Mobile Device Management (MDM) Solutions
Buying Guide, MDM may be employed for the following functions:

Tracking Mobile Devices: Asset Management – The first
step to managing mobile devices in the enterprise is ensuring you have an
accurate inventory of devices working with your infrastructure.

Screening Apps: White/Black Listing – System
administrators … should [have] the ability to limit apps used on managed
mobile devices. Whitelisting allows you to list the set of acceptable apps
for mobile devices. Blacklisting allows you to limit the use of unapproved
applications.

Keeping Data Confidential: Encryption
MDM systems can allow you to define an encryption policy for data
stored on mobile devices. This should include strong encryption and
key management. Keep in mind that data should be encrypted during
transmission (“data in motion”) and while stored on the device (“data at
rest”). 

Locking Down Devices: Controlling Device Configurations
– Mobile devices are feature-rich with Bluetooth communications, geo
location tracking, Wi-Fi network access and other functions. MDM systems
should allow for remote control over configurations, up to and include
remotely wiping a lost or stolen device.

Enforcing Rules: Policy Management – MDM systems can
help mitigate security risks related to the use of tablets and smartphones
in the enterprise. Look for support for asset management, app management,
encryption and policy enforcement to help protect your information
assets.”3

Continuous App Vetting

To illustrate how MDM (or, in this case, its sister service EMM) can be
utilized for application vetting, consider the diagram in Figure 1
prepared by the US Department of Homeland Security. The process shown here
depicts the discovery of potentially harmful apps and the subsequent
denial of app access to sensitive enterprise information and information
systems.

Figure 1. EMM-Enabled Continuous App Vetting

Figure 1. EMM-Enabled Continuous App Vetting

Source: US DHS4

MDM Self-Service

To reduce their Mobile Device Management burden, enterprise officials may
effectively outsource casual administrative functions to employee
end-users. With employees relying on mobile devices to get their jobs
done, you don’t want basic device management issues to impede
productivity. You also don’t want users calling the help desk with
issues they can resolve themselves. Utilizing a self-service portal,
employees can:

  • Enroll their devices
  • Lock and wipe their devices if presumed stolen
  • Reset their passcodes
  • Locate their lost devices5

Evolution of MDM

[return to top of this
report]

Like mobile devices, Mobile Device Management is constantly
evolving.  As analyst Carl Weinschenk observes, while “BYOD may be
the highest profile challenge … [organizations] are seeking support for
many … types of endpoints.” These include, according to SOTI Director of
Product Management Suneil Sastri:

  • Point-of-service devices
  • Unmanned kiosks
  • Digital displays
  • Printers
  • Scanners
  • Smart watches
  • even Mini-bar refrigerators6

In addition to endpoint diversity, an evolution in “work structures” is
compelling changes in MDM capabilities. As Microsoft states, “Companies
are still dealing with rebuilding an infrastructure that enables the
modern workplace. This requires companies to really think about their
needs and find solutions that cover multiple use cases and platforms that
are architected to work with the melting of the traditional perimeter.”7

Enterprise Mobility Management

While still a viable software category, some MDM vendors have expanded
and rebranded their MDM solutions as Enterprise Mobility Management
(EMM). Essentially a mobility bundle, EMM consists of multiple components,
including:

  • Mobile Device Management (MDM)
  • Mobile Identity Management (MIM)
  • Mobile Application Management (MAM)
  • Mobile Content/Email Management (MCM)
  • Mobile Security Management (MSM)8

EMM aims to protect every element of the “mobile experience,” not just
mobile devices.

Unified Endpoint Management

As further evidence of the continuing progression of mobile management
solutions, in 2018, Gartner and others began promoting a new category,
Unified Endpoint Management (UEM).

Gartner “defines the unified endpoint management (UEM) tool market as a
set of offerings that comprise mobile device management (MDM) and modern
management of traditional endpoints (PCs and Mac).” UEM includes – in
fact, emphasizes – “integration with client management tools (CMTs) and
processes.”

One of today’s popular Unified Endpoint Management products is VMware’s
Workspace ONE UEM. As described by the vendor, the Workspace ONE UEM
provides device lifecycle management across all platforms in a single
comprehensive solution that empowers IT to:

  • Automate the onboarding process over the air.
  • Intelligently manage every device on every platform.
  • Flexibly support all use cases – BYOD, corporate-owned, frontline, or
    purpose-built.
  • Easily manage apps and provide a consistently positive self-service
    employee experience.
  • Make data-driven decisions and automate important repetitive
    processes.
  • Secure devices, apps, and data at rest and in transit.

MDM Vs. EMM Vs. UEM

Perhaps the best way to differentiate MDM from EMM and UEM is to
summarize their respective capabilities as detailed in Table 1.

Table 1. MDM/EMM/UEM Capabilities
Mobile Device Management Enterprise Mobility Management Unified Endpoint Management
  • Conduct Device/Inventory Tracking
  • Enforce passcodes
  • Install applications
  • Locate/lock device
  • Wipe device remotely
  • Configure profiles for BYOD
  • Enforce multi-factor authentication
  • Manage file sync and share
  • Enforce device web browser security settings
  • Allow containerization
  • Apply EMM controls to PCs and desktops
  • Configure and update desktop and mobile apps at the same time
  • Manage IoT devices

Source: brightfin9

The Final Word

Despite any semi-official differences between MDM and UEM, the
professionals at 42Gears Mobility Systems believe that today’s leading MDM
and UEM solutions are almost indistinguishable. “
Any good modern MDM
solution is really a UEM solution.
Leading MDM solutions all offer
the ability to manage almost any office device from one console. Plus,
these solutions can all manage the content on those devices, too.”10

General Data Protection
Regulation

[return to top of this
report]

As of May 25, 2018, any organization responsible for collecting,
processing, or storing data belonging to the citizens of the European
Union must comply with the EU General Data Protection Regulation (GDPR).

Analyst Andrada Coos cautions that “companies that process EU data
subjects’ personal information have very clear obligations as data
controllers and processors. Prior authorization for processing is needed
from data controllers and can only be done as per the documented
instructions provided by them. Confidentiality is imposed on personnel
processing sensitive data. Clear measures to protect personal data must be
adopted and sub-processors cannot be engaged without the explicit
authorization of data controllers.

“The GDPR also requires a very clear and specific statement of consent
from EU data subjects. Customers must give explicit consent to concisely
formulated requests. They also have the right to revoke that consent at
any time and request that their data be destroyed by the data controller
and, implicitly, the data processor.”11

Importantly, enterprises must ensure that their MDM, EMM, and UEM
solutions comply with all relevant provisions of the GDPR.

According to analyst Paul Heltzel, “Gartner’s mobile-specific
recommendations for meeting GDPR requirements include ensuring enterprise
mobility management (EMM) tools are enforcing passcode authentication and
encryption, and explicitly asking users permission to enroll in device
management (and avoiding using prefilled checkboxes when asking the users’
permission).”12

Recommendations

[return to top of this
report]

MDM can address a variety of threats:

  • Lost or stolen devices can be wiped
  • Malware can be averted
  • Enterprise data can be protected on multiple platforms

When deploying a MDM solution, enterprises need to consider the following
recommendations:

Know your organization before selecting a MDM solution

Solutions Review suggests asking the following questions:

  • How sophisticated is your mobile environment/strategy?
    – You need to understand how and at what level your organization is
    utilizing mobile devices.
  • How will this new level of security and management impact
    employees?     – As Bring Your Own Device (BYOD) programs grow
    and mobile strategies continue to mature, the line between personal and
    work life becomes increasingly blurry.
  • Do you have the internal IT resources to manage and maintain a
    MDM solution?     – Evaluate your internal team and understand
    what they can handle.
  • How will you ensure compliance and decrease risk?
    Monitoring tools or asset tracking can help you maintain a certain level
    of compliance, but some of these functions are more reactive then
    proactive. Through seminars, courses, or information sessions you can
    clearly outline, define, and reinforce policies and guidelines.
  • What will our enterprise mobility policy entail and what MDM
    functions will we utilize?     – Answering this question will
    provide the dos, don’ts, and actual functions your mobile devices can
    perform.13

Establish – and enforce – strong policies and security standards

Rationalize any discrepancies between enterprise MDM and BYOD policies.
Consult with enterprise general counsel to avoid any legal or regulatory
issues.14

Select a MDM solution that provides multi-platform support

BYOD may demand that a variety of platforms, including Windows, iOS, and
Android, be supported.

Select a MDM solution that is flexible

With new and upgraded mobile devices and other endpoints hitting the
market, a MDM solution must address all elements of an enterprise’s mobile
infrastructure. Perhaps a cloud-based MDM product would be optimal with
real-time updates/upgrades/pushes. Perhaps buying MDM applications as
needed would be wiser for an enterprise with fewer devices to support, as
long as the applications interoperate.

Select a MDM solution that is interoperable

The Best Mobile Device Management (MDM) Solutions Buying Guide
suggests “[examining] your MDM prospects with a discerning eye when it
comes to integration with your existing enterprise applications, such as
active directory/LDAP, Microsoft Exchange, web-based mail, cloud services
and backup/restore.”15

Configure the underlying MDM platform for MDM use

As NIST observes, MDM infrastructure runs on top of commodity hardware,
firmware, and software – all of which are susceptible to publicly known
software and hardware flaws. Although extensive customization of systems
occurs, commodity hardware and well-known OSs should be identified and
understood. These systems should be properly configured and regularly
patched to remediate known vulnerabilities.16

References

[return to top of this
report]

1 “What is Mobile Device Management and Enterprise Mobility
Management?” Best Mobile Device Management (MDM) Solutions Buying Guide
|
Business.com
. October 10, 2018.

2 Joshua M. Franklin, Gema Howell, Murugiah Souppaya, Vincent
Sritapan, and Karen Scarfone. Draft NIST Special Publication 800-124,
Revision 2: “Guidelines for Managing the Security of Mobile Devices in the
Enterprise.”
US National Institute of Standards and Technology
. March
2020:7-11.

3 “What is Mobile Device Management and Enterprise Mobility
Management?” Best Mobile Device Management (MDM) Solutions Buying
Guide |
Business.com
. October 10, 2018.

4 “Evaluating Mobile App Vetting Integration with Enterprise
Mobility Management in the Enterprise.”
US Department of Homeland
Security
. June 26, 2019:11.

5 “Twelve Best Practices for Mobile Device Management.” MaaS
360 |
QuinStreet Inc
. 2018.

6 Carl Weinschenk. “Mobile Device Management
and the Enterprise.”
Quinstreet Inc
. November 29, 2018.

7
Ibid
.

8 Benedict Jones. “A Simple Guide to MTD, MDM, EMM and UEM:
Choose the Right Mobile Security Solution for Your Business.”
LinkedIn
Corporation
. January 11, 2021.

9 “Mobile Asset Management: MDM vs EMM vs UEM.”
brightfin
.
March 12, 2021.

10 “The Ultimate Guide to Mobile Device Management.” 42Gears

Mobility Systems Pvt Ltd
. 2021.

11 Andrada Coos. “Shadow IT in the Age of GDPR Compliance.”

Endpoint Protector
. February 15, 2018.

12 Paul Heltzel. “Will Your Organization’s Mobile Device
Protection Meet GDPR Requirements?” Informa USA, Inc. May 2,
2018.

13 “Mobile Device Management Solutions: 2016 Buyer’s Guide.”

Solutions Review
. 2016:3-4.

14 Ibid. p.5.

15 “What is Mobile Device Management and Enterprise Mobility
Management?” Best Mobile Device Management (MDM) Solutions Buying
Guide |
Business.com
. October 10, 2018.

16 Joshua M. Franklin, Gema Howell, Murugiah
Souppaya, Vincent Sritapan, and Karen Scarfone. Draft NIST Special
Publication 800-124, Revision 2: “Guidelines for Managing the Security of
Mobile Devices in the Enterprise.”
US National Institute of Standards and
Technology
. March 2020:11.

[return to top of this
report]

About the Author

[return to top of this
report]

James G. Barr is a leading business continuity analyst
and business writer with more than 30 years’ IT experience. A member of Who’s
Who in Finance and Industry, Mr. Barr has designed, developed, and
deployed business continuity plans for a number of Fortune 500 firms. He
is the author of several books, including How to Succeed in Business
BY Really Trying, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices.
Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this
report]