Several years ago work computers were for work use only, blocking social media, personal email, and browser games. The thought of sensitive company data being accessible on any network, and from any device, was akin to a horror film scenario for IT personnel. Now, concepts such as bring your own device (BYOD) and remote work are becoming much more of the norm, especially for small and medium businesses (SMBs). Rather than delve into the myriad of pros/cons and security risks each of these approaches present, today we’ll focus on best practices for device management, aka mobile device management (MDM).
What is Mobile Device Management (MDM)?
Some of us can remember when the only computing devices on the corporate IT infrastructure were company-owned, fixed workstations. The company IT administrator would commission these “personal computers” by installing the operating system and software applications that each employee needed to do their job. Users were almost never given any type of administrative rights to computers, prohibiting installation of applications and of course removing a whole host of other administrative abilities over the computer. (FYI: allowing your users local administrative privileges is still generally seen as a big “no” in information security.)
As technology improved, IT techs were able to do much of that work remotely, and they became good at re-imaging machines when an employee left the company and the computer was reassigned to someone new. Remote management offerings expanded, eventually adding support for mobile devices like iOS and Android. Eventually, users were allowed to link their own laptops and smartphones to the system -- a practice known as bring your own device (BYOD).To manage company owned information on all of these devices, the concept known as mobile device management (MDM) has become prevalent.
For some, the term MDM has come to mean the management of all company-approved devices -- whether mobile or not. So the fixed workstations in the company building -- although becoming increasingly rare --have been rolled together with laptops, tablets, and phones in the larger concept of mobile device management. MDM software can take many forms. See a comparison of eight MDM software packages from PC Magazine.
Features of MDM
Perhaps the most important benefit of MDM is the ability to manage various aspects of almost all end-user devices from one centralized software management portal. (Often referred to as “a single pane of glass”). It’s no longer necessary for IT techs to wander from room to room to perform software updates on equipment using CDs, DVDs, or USB flash drives, or even roll a domain for many devices, something many SMBs forgo. Changes to software packages can be accomplished remotely, and they can even be scheduled at night when the device is not in use. Many of the MDM functions can be automated and require no human intervention at all.
Onboarding of new devices is fairly simple too, and end-users can initiate the process easily with just a few instructions. Clear policies and procedures should be made available to new employees, or to those who have elected to introduce their own devices to the network. How end devices are registered is determined by the technology and the policies implemented by the IT department.
Once devices are registered and part of the MDM ecosystem, IT personnel can simply push new software installations or updates to end devices according to agreed-upon schedules. Those changes that might be disruptive to productive work can be scheduled for a maintenance window, all part of a larger change control program. (I’m pretty sure we’ve all rebooted for an important morning meeting and been greeted by windows updates at one time or another.) This also makes inventory management for many device types much easier.
While the features vary greatly from offering to offering and OS to OS, some MDM solutions support Windows, Mac, iOS, and Android.
Security Benefits of MDM
The security advantages to the company (and user) can be manifold, depending on the solution used and its configuration. As mentioned above, security updates and patch levels can be reported on and in many cases pushed automatically.
Monitoring and managing end-user devices with MDM is another key capability. If a laptop is lost or stolen, an administrator may be able to track its location, disable it, or even wipe it clean remotely if the device is online. If the device is offline, hopefully it’s encrypted (and MDM solutions can report on that too).
With concerns about employee and user privacy also now a concern for employers, many MDMs also allow segmenting personal from professional, with remote wiping features designed to only touch company data. It’s important to note that in practice this often means only things that stay inside of company approved applications will be affected. For example, if an employee were to copy company documents into an application they leverage for personal use, that information would likely not be covered by the MDM solution.
Many particulars of IT security can be finely managed from a central location, without deep technical expertise, and all from a single pane of glass.
Whether it’s passwords, FileVault, firewalls, or some other security mechanism, MDM empowers organizations to have a much better grip on data through protecting the various devices on which it resides. Many MDM solutions do this while respecting personal/professional barriers, and MDM is generally unobtrusive and transparent to the user. MDM serves to pull together all devices allowed on the network, enforces policies, and protects resources -- all in a user-friendly way. In short, managing end devices is a good thing for everyone involved, and MDM processes are making it easier every day.