E-guide
Mobile Security Buyer’s Guide Your expert guide to mobile security
Page 1 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Introduction to mobile device management products
Mathew Pascucci
Expert Matt Pascucci describes how implementing mobile device
management products can protect smartphones and tablets, as well
as enterprise networks and infrastructures.
Mobile devices have become heavily integrated into enterprise networks, and
the trend shows no signs of slowing down. As mobile devices continue to
become more powerful and push the boundaries of what a computer really is,
organizations need to better secure these systems through mobile device
management products.
By applying custom policies to smartphones and tablets through mobile device
management (MDM), an administrator can, for example, regulate these devices
to be used only in ways that an organization deems appropriate under its
security policy. This can limit the risk of lost data, stop unapproved software
installs and prevent unauthorized access to the mobile devices accessing
corporate data and networks.
Page 2 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Mobile security, meanwhile, isn't just for large enterprises. It should be seriously
considered throughout all verticals -- no matter the size of the company.
The mobile security characteristics of MDM
When evaluating mobile device management products and vendors, these are
the features (at a minimum) to look for to form a baseline mobile security policy:
PIN enforcement. Also seen as a password to the system, admins can
manage PINs to lock individual devices.
Full disk encryption -- or containerized encryption -- of data or disks.
An MDM product should be able to enforce encryption on any device it
manages.
Remote wipe. In case of loss or theft.
Secures data at rest and in transit. Ability to stop certain data from being
copied or sent while on the device.
Jailbroken or rooted device detection. Jailbreaking poses a significant
risk because it allows users to install unapproved software and make
changes to the mobile device's operating system (OS).
Page 3 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
There are additional MDM features (e.g., GPS tracking, VPN integration,
certificate management, Wi-Fi policies, among others) that are useful, but not
for all companies. At the very least, the five bullets above should be verified
when looking at MDM products. Also verify that the selected mobile device
management products support all the smartphone and tablet platforms (iOS,
Android, Windows Phone and others) that the organization intends to manage
and secure.
While MDM does quite a bit when it comes to securing devices, there are a few
things it doesn't do. For starters, many think Web filtering is a default feature,
when in fact, most -- if not all -- MDM vendors rely on separate systems to
perform that function. Another function people assume mobile management
products perform is data backups. Mobile security vendors are not backing up
mobile devices' data. If data is lost, it's gone unless a separate backup system
has been put into place. This is usually done via third-party apps and
configuration settings, but not natively through mobile device management
products. So there may be additional mobile security software protection
needed beyond MDM.
Page 4 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Licensing options for mobile device management products
The first, the standard one-license-per-device scenario, works well for smaller
companies without many users, or with businesses that are able to tie one
mobile device system to each user. If an organization is only applying MDM
towards smartphones, and there is no chance end users will use another mobile
device on the network, this method is a wise choice.
However, due to the need for flexibility and increased use of mobile devices --
especially due to bring your own device (BYOD) initiatives -- it may become
necessary to have multiple mobile devices (typically three) protected under a
single user license. This comes in handy when users tend to have multiple
devices (a smartphone, tablet, and the like.), but the business doesn’t want to
go through the hassle and expense of paying for a separate license for each
device.
While generally more expense than single-device licensing upfront, user-based
licensing can save a substantial amount of money over time as employees
adopt more mobile devices.
Page 5 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Mobile management deployment options
The most common way to deploy MDM products is via a virtual image, but
almost all vendors will offer a hardware-based product if needed, and many are
increasingly providing these services over the cloud.
The virtual images are normally delivered in either OVA (Open Virtual
Appliance) or OVF (Open Virtualization Format) file formats, and are fully
contained OSes that allow organizations to import the software into existing
virtual environments (Hyper-V, VMware, and others). The virtual images allow
for quick installation of the MDM vendor's software, with resource management
owned by the customer.
There are, of course, MDM customers that either don't have a virtual
environment installed or want to have the mobile management system running
on isolated hardware for performance issues or security concerns. In those
instances, MDM vendors ship a dedicated MDM system to the customer with
detailed instructions on how to configure the hardware.
Running an MDM system on-premises can be cumbersome for customers,
however. So a number of the larger MDM vendors have started offering their
products remotely as software as a service (SaaS) in the cloud. This
deployment option is growing in popularity, especially among MDM customers
with limited resources.
Page 6 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Rolling out MDM products
Once MDM products are installed on the network -- either by virtual image,
hardware or cloud -- administrators need to come up with an implementation
plan across all device types. A slow rollout (or enrollment) across the enterprise
is a smart choice, since there's going to be a learning curve for end users and
administrators supporting the product.
All MDM products have apps that are either in Google Play or the Apple App
Store for users to download. Once enrolled, users are sent an email or text with
installation instructions. When they download the app and it authenticates --
typically via LDAP or a one-time passphrase -- the organization's MDM policy
with the preconfigured options is installed on the mobile device.
At this point, the mobile device is under control of MDM and is able to be
appropriately managed by the IT staff.
Page 7 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Who manages mobile security?
Depending on company size, a number of different teams may assist with the
management of mobile security. Many large enterprises have resources
dedicated to mobile security, while an SMB might have it added to an IT
administrator's growing responsibilities.
The scope of admins really depends on whether a dedicated resource is
needed to manage mobile security as a whole. It's very common in the
midmarket, for example, to see different groups managing particular sections of
an MDM system. The information security team could be responsible for
creating mobile security policy, with tech support assisting with issues or
operational incidents after the mobile device is deployed, and a telecom group
assisting with onboarding and removing the mobile security policies that have
been created.
The cost of MDM deployment
Like all IT security products, there are going to be hard and soft costs to
consider when deploying mobile security via MDM.
Page 8 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
The hard costs of implementing mobile security for the first time would include
the costs of the product itself, potential new hardware to run it, initial support
expenditures, testing and (potentially) professional management services.
The soft costs of running MDM include the additional hours of support required
for troubleshooting, installing and maintaining the system. In addition,
depending on the install base, there may need to be additional training, or even
additional employees, added to support the product.
Next article
Page 9 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Three enterprise scenarios for MDM products
Matthew Pascucci
Expert Matt Pascucci outlines three enterprise uses cases for mobile
device management products to see how they can protect users,
devices and corporate data.
Mobile devices are essentially mandatory tools into today’s business world of
fast-moving, data-driven end users. While smartphones and tablets provide
employees with the flexibility to perform their jobs with elasticity and without
borders, they engender major concerns regarding data security and privacy
risks for organizations. Enter mobile device management (MDM) products,
which allow people to perform their jobs efficiently and effectively while assisting
IT in protecting company data and securing mobile devices from malicious
access.
There are three major scenarios to consider when deciding to implement MDM
products: the protection of data on mobile devices, defending mobile systems
themselves, and securing sessions and data in transit between
smartphones/tablets and the company network.
Page 10 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
MDM product scenario #1: Data protection
No reason for deploying MDM products is as important as securing data on
mobile devices. That's because mobile devices are in reality small computers
with powerful processors and large amounts of storage and memory that --
when used within an enterprise -- hold and have access to the same data as a
standard PC or laptop. With that in mind, organizations must extend enterprise-
grade data protection to these devices without limiting their important, elastic
roles at the company.
MDM vendors employ two methods, or ideologies, to protect data on mobile
devices: containerization vs. non-containerization.
Taking a containerized approach to MDM
A mobile security product that uses the containerized ideology will dedicate a
small partition in storage to the MDM application on the mobile device, limiting
all corporate data, apps and communication to this containerized section. With a
containerized approach, the data from a smartphone or tablet can’t be inserted
into the MDM application either (and vice versa), and these types of mobile
device security platforms normally add an extra layer of protection by requiring
users to log into MDM separately from the device itself.
Page 11 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
The pros of implementing containerized MDM is that if the mobile device is ever
lost or stolen, or someone leaves the organization, a wipe of the MDM app on
the smartphone or tablet will remove all instances of corporate data. That way
admins will never have to worry about missing something important.
The cons to containerized MDM is that end users often can't use apps that
they're accustomed to, and organizations often don't have the flexibility to
leverage custom tools or programs. This is because MDM vendors need to
partner with app creators to allow software to enter the encrypted partition. And,
while many MDM vendors do work with software developers, not every app is
natively compatible.
The non-containerized approach to MDM products
The non-containerized approach to mobile security allows users to access their
mobile devices with a native experience and offers the ability to use traditional
apps. So the non-containerized method to mobile security, unlike the
containerized approach, provides users with the flexibility to run the apps they're
used to and allows for easier access to data from third-party software than the
containerized-approach. This goes for both business and personal data. It
depends on the policy that's created by the MDM administrator, but the
configurations can also allow for the locking of company apps and/or personal
apps.
Page 12 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
This approach, while gaining in popularity over containerization due to its
flexibility for the end user, needs to be reviewed in great detail beforehand by
administrators.
Here, there are options for using data loss preventions tools on mobile systems
that aren't containerized. These allow for the inspection and protection of data
before it leaves the mobile device.
The protection of data on mobile devices is paramount. It factors heavily in the
remaining two scenarios outlined below, and should be at the forefront of the
decision-making process when looking to deploy an MDM product.
MDM product scenario #2: Device protection
Now that the data has been secured, let's review ways in which MDM can assist
with protecting mobile devices themselves. This is an important topic because if
a smartphone or tablet isn't secure, it can lead to the infection of the network
and compromised data.
Page 13 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Jailbreaking/rooting detection
Most MDM systems can alert admins should a user attempt to jailbreak/root a
smartphone or tablet. A rooted or jailbroken mobile device allows a user to
access a mobile system to perform functions (admin access, download and
install apps from outside the app store, malware, among others) not intended by
the manufacturer or approved by IT and the organization. Sure, these aren't all
necessarily that bad, but jailbreaking opens up risks to the corporate network
that are best avoided by negating the ability for users to root their smartphones
and tablets in the first place.
PIN and passcode enforcement
The first line of defense that every mobile device requires is password
protection. Having MDM push down a policy to enforce a PIN or passcode to
smartphones and tablets (with a timeout period) is an easy way to secure
systems from unintended access by intruders that may have stolen or found a
device. Although seemingly very small and not very significant, enforcing
password security through MDM should be mandatory.
Page 14 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Remote wipe
The option to remote wipe a smartphone or tablet is a lifesaver when it comes to
devices that are no longer in possession of their rightful owner. This assures
that anything on a smartphone or tablet is no longer accessible, as the value of
data on a smartphone or tablet is worth a whole lot more than the value of the
mobile hardware itself.
Operating system changes and apps
With a simple MDM policy, an administrator can restrict what apps are installed
-- and limit what OS changes can be performed -- by users or hackers to a
smartphone or tablet. For example, by only allowing the installation of certain
apps using a whitelist and making sure all cameras are turned off on supported
smartphones. This reassures the organization that rogue apps that could infect
its mobile devices, which can lead to data loss or worse, won't be installed. It
also keeps mobile systems in a baseline OS configuration for the network,
making them easier to manage. This level of app and system control is a must
have when it comes to distributing mobile devices to end users.
Page 15 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Mobile device encryption
Companies should encrypt all mobile devices that contain important company
data. An MDM product can assist in this by forcing encryption on all supported
smartphones and tablets -- similar to the way full disk encryption does for
laptops and desktops. Encryption protects the mobile device itself and the data
that lives on it. It is important to enable on all mobile devices, even for
enterprises that use a containerized MDM product.
MDM product scenario #3: Protecting mobile connections
Now that MDM has protected mobile data and the mobile devices themselves,
it's time to focus on how to make sure these smartphones and tablets
communicate safely. This last scenario centers on how MDM products can help
secure the connections and sessions established between mobile devices and
company resources.
With MDM, organizations can mitigate the risk of insecure communication by
blocking third-party configurations to remove certain functions on the mobile
device and enabling certain features within a mobile management product. For
Page 16 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
the former, one area to review is the ability to enable VPN connections on
mobile devices so they communicate back to the organization securely.
In addition, there are many times when users need to access data or services
on the internal network. So, instead of letting them access these resources
insecurely, many MDM products allow admins to require VPN terminations to
the corporate site for secure data access.
Another method to secure company network access is to restrict insecure
access by limiting the service set identifiers that wireless devices can use. While
this can become somewhat restrictive, admins can create a policy to always
have mobile systems, in range of the corporate network, use secured wireless
connections as a priority, instead of an insecure wireless network that might
also be available and accessible.
Having the ability to use internal certificates pushed to mobile devices from
company servers for an extra layer of authentication is also recommended.
There are MDM options available that limit access to certain websites. Called
secure Web browsing, this technology is normally connected back to the
corporate network and allows for implementation of an additional policy to keep
users' browsing experience secure via an organization’s normal Web proxy or
Web filtering service. Since mobile devices are extensions of the corporate
network, having the same Web policy pushed to them as onsite computers
Page 17 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
allows for consistent security and user experiences when it comes to Web
access.
Lastly, certain MDM systems include a feature called geofencing that only
allows mobile devices to work within a certain geographical location. This may
be too restrictive for users that travel with their smartphones and tablets, which -
- granted -- are most. But for those mobile devices that shouldn't leave a certain
location, say mobile PoS systems, after the handheld goes beyond a pre-
determined area, it'll be deemed unusable by company policy.
Mobile devices are de facto business tools for almost everyone working today.
Due to this wave of popularity, organizations need to secure the data, systems
and connections mobile devices use and the smartphones and tablets
themselves. Now that we’ve determined the absolute need for MDM products,
we'll review ways in which mobile security is purchased in the next article in this
series.
Next article
Page 18 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Six questions to ask before buying enterprise MDM products
Matthew Pascucci
Mobile device management can be a crucial part of enterprise
security. Expert Matt Pascucci presents the key questions to ask
when investigating MDM products.
As the mobile market continues to explode, it's become increasingly important
that organizations deploy mobile device management (MDM) to more effectively
manage smartphones and tablets, as well as better protect those mobile
devices from data loss and malicious use. Today, it's really not a matter of if
mobile device security should be deployed -- it's more a matter of when and
how quickly.
It's imperative that businesses take the time to make an educated decision
regarding which MDM platforms are right for their mobile management and
security goals, however. The majority of MDM products perform very similar
functions, but it is how they do so that must be closely reviewed and compared.
Before starting to compare and contrast MDM products, organizations should
establish a set of organizationally specific criteria to make these comparisons.
Page 19 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
This will help determine which MDM product(s) will perform up to the standards
required for their network and mobile device profiles.
To establish these criteria, enterprises should ask themselves the questions
outlined in this article. The answers will lead them toward building a
personalized feature checklist that can guide them in determining which mobile
device management products best fulfill their particular smartphone/tablet
deployment and usage characteristics.
MDM: Is BYOD a consideration?
Protecting company data on personal mobile devices can be challenging. Bring
your own device (BYOD) is something that needs to be reviewed in detail before
making a decision on which MDM vendor to go with.
Will the organization allow end users to use personal smartphones and tablets
for business? If so, will users have the potential to store company data on their
mobile devices while they're being protected and managed by an MDM
product?
When looking into MDM to use in a BYOD environment, organizations should
verify that vendors have streamlined self-service options and provide
organizations with the ability to protect company data separately from personal
information. A self-service model allows businesses to quickly on board users
Page 20 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
into the MDM product for quicker turnaround in getting mobile devices protected
with the appropriate security policies. This can be done via policy enforcement -
- by pushing software changes to the phone with company security options
integrated into it -- or by using containerization, which allows organizations to
secure all company data (and user access to that data) from within a secured
app on the mobile device.
Organizations should carefully review these capabilities (self-service options
and data protection) up front with each MDM product under consideration for a
BYOD environment.
MDM: On-premises or in the cloud?
Many IT security applications are going the software as a service (SaaS) route
these days, and MDM is no different. Before making a decision on whether to
deploy on-premises or cloud-based MDM, it is important to understand the
difference between supporting and managing the two mobile management and
security methods.
Will IT have the technical know-how, time and manpower to manage an MDM
system on-site (patching, building the infrastructure, managing the uptime of the
environment and so on)? Or will it benefit from eliminating these daily support
factors by turning to an MDM product run out of the cloud. Deploying a cloud-
based MDM system often means greater flexibility for companies (some
Page 21 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
products even allow them to set up test environments to train with and verify
settings before pushing those to production and out into the cloud).
These cloud-based MDM products are SaaS implementations that allow
administrators to no longer mange physical appliances or have the need to
make firewall changes to allow access back into their networks. They are
hosted on vendor servers, and often offer organizations the flexibility to have a
separate install of the MDM product available for administrators to train on.
Businesses could think of this as a quality assurance version of the MDM
system that administrators can play with before making changes to the
production version that's hosting live user accounts.
With cloud-based MDM, organizations need to weigh the risks of putting
company data into an environment they don't have complete control over. For
some enterprises, these risks (of having data hosted outside their network, not
being able to control the uptime of applications, reliance on a third party for data
security and so on) and desire for control do not outweigh the benefits (requiring
fewer resources to manage an MDM, no longer patching or maintaining MDM
hardware and software, the ability to have someone else secure company data,
among others) of managing and securing mobile devices from the cloud.
Those considering cloud-based MDM should be sure to perform due diligence
on the cloud provider to gauge how it secures customer data before moving
forward. It is ultimately an organization's data that will be stored in the cloud, so
it should treat the security of this data the same as it would if it was stored within
Page 22 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
its physical network. In addition, verify that segmentation, vulnerability
management and privacy are followed to corporate standards by the cloud
provider.
A good place to start is by utilizing the Consensus Assessments Initiative
Questionnaire (CAIQ) by the Cloud Security Alliance to dig deeper into each
vendor's cloud security profile. The CAIQ is a survey designed to help cloud
consumers and auditors evaluate the security capabilities of cloud providers.
What type of apps can integrate into the MDM?
Businesses are employing apps on mobile devices to enable end users to work
from anywhere nowadays. This ability to let users run CRM apps, custom apps
built internally, or just about any app organizations would like employees to use,
is an important consideration when selecting an MDM product.
The MDM products being considered by an enterprise should allow IT to
manage, integrate and push policy toward all the mobile apps the company
supports. For example, if a business is using a CRM application that all of its
sales team needs to access, it should be able to whitelist this app and push it
down to the users mobile device. This allows for more control over the device
and version of the application being used by employees.
Page 23 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Certain MDM vendors, meanwhile, partner with app vendors to allow for greater
flexibility and security of their apps when used with their particular MDM
product. These apps are tailored toward the MDM to limit risk, or allow only
certain versions of the app to be installed on mobile devices.
There are also certain apps that organizations wouldn't want installed. The
MDM of choice should be able to report on all apps across a company's mobile
device base to create an inventory of what's installed and if there are
unapproved apps loaded that are against written policy. There should also be
the option to lock down what can be installed on mobile devices and give the
administrators the option to perform whitelisting on an MDM that can limit the
app installs to only approved software.
The mobile app is the reason smartphones and tablets have evolved so rapidly
into essential tools for business over the last few years. The integration of
business apps into MDM assists with provisioning of these apps/business tools
and allows for faster and -- even more importantly -- secure deployment and
support.
Will MDM agents be containerless or containerized?
It is important to know whether a mobile management and security product that
is under consideration is based on the ideology of containerization, or if it uses
the containerless philosophy.
Page 24 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Containerization installs all MDM data within a dedicated agent container on
mobile devices. This means any company-owned data is stored securely within
this app without fear of leakage or theft. Nothing is able to enter the container
(or be removed from it) while it is on the mobile device. Containerless, on the
other hand, allows for a more native experience to end users because they don't
have to adhere toward using the container app to perform all job activities (i.e.,
email, file storage). These types of MDM products allow employees to use apps
already installed on their mobile devices, for example, whereas those based on
containerization only lets them use apps that are within a container for business.
There are pros and cons to both sides, so before looking at MDM vendors an
organization should understand which school of thought, containerization or
containerless, it subscribes to first.
With containerization, since all company data and applications are held in an
app that's walled off from the rest of the mobile system and can be managed at
the drop of a hat, IT can be confident that nothing related to a company is left
lingering once it removes this app from a mobile device. By contrast,
containerless MDM's maintain the native feel of mobile devices, which is a
benefit to end users, but also makes it more difficult for security teams to
manage -- as all company data and apps aren't isolated (or walled off) from
personal data and apps, as with containerized MDM.
Organizations that prefer to offer end users a more seamless mobile device
experience should consider containerless MDM first. Just be certain that the
Page 25 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
MDM products under consideration provide IT with the ability to confidently
monitor and remove company data and applications when needed. If an MDM
product can't easily let admins wipe all corporate data from a system, there's a
possibility that sensitive information will make its way out of employee (and
thereby company) hands. This needs to be seriously considered when using
containerless MDM.
What MDM profile options are available?
Besides the functionality questions described above, profile options is one of the
most important areas to focus on when reviewing potential MDM candidates. It
is here that companies will review security capabilities to determine if MDM
products have all the features required for securing not only company data, but
also the mobile device itself.
A few of these MDM security features to look for are the ability to: push
passwords/PINs, let admins remote wipe mobile devices, create VPN tunnels
back into a secure network for data and application use, enable policies to
detect rooted and jailbroken systems, verify encryption on mobile devices, use
certificates for authentication, whitelist/blacklist the installation of apps, perform
GPS reviews of mobile device locations (this can have privacy implications, but
could be a use case organizations may want to review), limit features on mobile
devices (disabling cameras, memory expansion and so on) and more.
Page 26 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
An organization's policy of what security features are required, or that could be
enabled, should to be written out before entering into conversations with MDM
vendors. Knowing how locked down an enterprise wants mobile devices to be
will assist it with asking the proper questions when procuring a mobile
management and security product.
How is the MDM product priced?
MDM products are priced out in a few different ways today. So be sure to have
all budgeting options reviewed before making a purchase. For instance, first
determine if the MDM system desired is going to be based in the cloud or on-
premises, as these types of MDM deployments will affect the organization's IT
budget in different ways. Cloud-based MDM will be an operational expenditure
(Opex), meaning that this would come from the budget that allows for licensing
and operation improvements to the business, while an on-premises MDM
deployment will mostly be a capital expenditure (Capex), meaning it will be seen
as a fixed asset (or something that will be used as improvement to the
business).
The funds for an MDM product need to be procured from the appropriate budget
(OpeEx or CapEx) before a decision is made as to which type of MDM (cloud or
on-premises) should be installed. It may be cheaper to go cloud MDM, for
example, but the OpEx budget may not be there to support that type of
Page 27 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
deployment. As a result, this could force an organization's hand toward an on-
premises product.
Also, in terms of user licensing, there are pricing models where vendors license
MDM systems either by device or by user. Depending on the organization, it
may be cheaper to go with a user-based model (where the organization pays for
one user account and puts it on as many devices as needed) or the device-
based model (where a vendor charges based off every system that its software
is installed on).
There are also times organizations can pay via a hybrid model (using user and
device licensing) to help them get the most for their money. As an example, it
would be more straightforward to purchase a device-licensed MDM product if
users are going to be issued devices via a company that controls what the
employees use. This is compared to the user option, where organizations let
end users install a license on multiple devices, not just the one that IT may have
issued to them. There's also a hybrid licensing method that can be used to allow
organizations to use device licensing for those using one device issued by the
company, and user-based licensing for those (like executives) that want multiple
devices at their disposal.
Page 28 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Conclusion
There are many factors to consider when purchasing an MDM product for
securing and managing mobile devices. The questions outlined in this article are
designed to get readers thinking about their organization's individual MDM
needs before starting to evaluate specific MDM vendors.
The biggest decision to make is the type of MDM to install. Will it be a
containerized system or a containerless MDM? After deciding which way to go
regarding this approach, administrators should decide what security options
they want in an MDM product.
We reviewed some of the major selections above (remote wipe, password
lockdown, app whitelist, among others), but a thorough proof-of-concept should
be run to verify the product is providing the intended security it is advertising
within an organization's particular IT environment. This is important because
many times there are features, such certificate management, that need to be
tested within the current production environment before an organization can
know for sure an MDM product is a good fit.
Once this is completed, a review of where the MDM will be installed and
managed needs to be looked at. Will it be in the cloud, or will it be brought in-
house to be managed? Does the organization have the resources to manage
Page 29 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
the system in-house, or does it trust the application being installed outside its
network (in the case of cloud-based MDM)?
These decisions will vary slightly by the size of the company. Many times a
smaller company will choose the cloud with a single device license because it's
easier to manage, whereas a medium to large company may want an MDM
that's container-based with user licensing that is installed in-house because it's
worried about the loss of data across multiple user devices.
The next article in this series will present the leading MDM products and
vendors, discuss the strengths and weaknesses of each, how they meet the
criteria laid out in this article and why they might be a good choice for your
organization's needs.
Next article
Page 30 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Comparing the best mobile device management products
Matthew Pascucci
Expert Matt Pascucci examines the top mobile device management
offerings to help readers determine which MDM products may be the
best fit for their organization.
The mobile device management (MDM) space is growing at a rapid pace, and is
widely used across the enterprise to manage and secure smartphones and
tablets. Investing in this technology allows organizations to not just secure
mobile devices themselves, but the data on them and the corporate networks
they connect to as well.
The market for MDM products is saturated now, and there are new vendors
arriving in this vertical on a consistent basis. Many of the larger names in mobile
security, meanwhile, have been buying up smaller vendors and integrating their
technology into their mobile management offerings, while others have remained
pure mobile device management companies from the beginning. So what are
the best mobile device management products available today?
Page 31 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Since the mobile security market has become so crowded, it is harder than ever
to determine what the best mobile device management products are for an
organization's environment. To make choosing easier for readers, this article
evaluates five leading MDM companies and their products against the most
important criteria to consider when procuring and deploying mobile security in
the enterprise. This criteria includes MDM implementation, app integration,
containerization vs. non-containerization, licensing model and policy
management, while the mobile management vendors covered are Good for
Enterprise, Airwatch, MobileIron, IBM (previously FiberLink) and Citrix.
That being said, there are also niche players -- such as Blackberry -- that are
attempting to move into the broader MDM market outside of just securing and
managing their own hardware, as well as free offerings from the likes of Google
that are trying to compete with the above list of MDM vendors by providing tools
to assist in the management of Android devices. Even Microsoft has a small
amount of MDM built into its operating systems that allow for the management
of mobile devices.
Today, the vast majority of mobile devices in use (both smartphone and tablet)
run on either Apple's iOS or Google's Android OS. So while many of today's
MDM products are also capable of managing Windows phones, Blackberries
and so on, this article focuses mostly on their Apple and Android management
and security capabilities.
Page 32 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Selecting the best mobile device management product for your organization isn't
easy. By using the criteria presented in this feature and asking the six questions
outlined in our previous article in this series on mobile security, an organization
will find it easier to procure the right mobile management and security product to
satisfy its enterprise needs. Let's get started.
Criteria #1: Implementation of MDM
Organizations should understand and plan out their mobile device deployment
and MDM requirements before looking into vendors. The installation criteria for
MDM are normally based off a few things: resources, money and hardware.
With that being said, there are two distinct installation possibilities when
deploying an MDM product.
The first is an on-premises implementation that needs dedicated resources,
both from a hardware and technical perspective, to assist with installing the
system or application in a network. Vendors like Good For Enterprise require
the installation of servers within an organization's DMZ. This will necessitate
firewall changes and operating system resources to implement. These systems
will then need to be managed appropriately to verify that they're consistently
patched, scanned for vulnerabilities among other issues. In essence, this type of
MDM deployment is treated as an additional server on an organization's
network. It's possible that a smaller business might shy away from an install of
Page 33 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
this nature due to the requirements and technical know-how it would take to get
off the ground. On the other hand, if businesses are able to manage this type of
mobile management and security product, it gives them complete ownership of
these systems and the data that's on them.
The second installation type is a cloud-based service that allows for an
installation of MDM off-premises, removing any concerns regarding
management, technical resources and hardware from becoming an issue for an
organization. Vendors like AirWatch have the ability to let customers provision
their entire MDM product in the cloud and manage the system from any Internet
connection. This is both a pro and a con: It provides companies with resource
constraints (like not having the experience or headcount) with the ability to get
an MDM product set up quickly, but it does so at the risk of having data reside
outside the complete control of these organizations -- within the cloud.
Depending on an organization's resource availability, technical experience and
risk appetite, these are the two options (on-premises and cloud) currently
available for installing MDM.
Criteria #2: App integration
Apps on a mobile device are a major reason their popularity and demand has
increased exponentially over the years. Without the ability to have apps work
Page 34 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
properly and yet securely, the power of mobile devices and the ability for users
to take full advantage of these tools becomes severely limited.
MDM companies have realized this need for functionality and security, so
they've created business grade apps that enable productivity without
compromising the integrity of mobile devices, the data on them and the
networks they connect to. Products like Citrix Xenmobile have created Worx
apps that are tied together and save data in a secure sandbox on mobile device
so users don't need to use unapproved apps to send business data to
potentially insecure apps out of an enterprise's control. The sandboxing
technology works by securing, and even at times partitioning, the MDM app
separately from the rest of the mobile OS; essentially isolating it from the rest of
the device, while allowing a user to have the ability to work securely and
efficiently.
There are also third-party apps that MDM vendors have partnered with to create
branded versions of these apps to use on their MDM. Good for Enterprise has,
for example, partnered with many large vendors to accommodate the need to
use their apps with their MDM. This integration between vendors is extremely
helpful and adds to the synergy between both vendors to allow for better
security and more productive users.
Whether you're using apps created by an MDM vendor to allow additional
security, or apps that have been developed through the collaboration of the
MDM vendor and third parties, it's important to know that most of the work on a
Page 35 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
mobile device is done via these apps, and securing the data that flows through
and is created on them is important.
Criteria #3: Container vs. non-container
There are two major operational options available when researching MDM
products; those are MDM that uses the container approach, and MDM that uses
the non-container approach. This is a major decision that needs to be made
before selecting a mobile management product, since most vendors only
subscribe toward one of these methods. This decision, whether to go with the
container or non-container method of mobile management, will guide the policy,
installation of apps on the mobile devices, BYOD plans and data security of the
mobile devices that an organization is looking for an MDM product to manage.
A containerized approach is one that keeps all the data and access to corporate
resources contained within an app that's downloaded to mobile devices. This
app will normally not allow access from data outside the mobile device into the
app and vice versa. Both Good for Enterprise and IBM (Maas 360 Fiberlink)
offer MDM products that allow customers to use a containerized approach.
Large companies tend to benefit from this approach -- as do government
agencies and financial institutions -- as is it tends to offer the highest-degree of
protection for sensitive data. Once a container is removed from a mobile device,
all organizational data is gone and the organization can be sure there was no
Page 36 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
leakage of data onto the mobile device that might be left over. This method is
used to ensure, without a doubt, that data on this device was removed and
there was no leakage of data to other areas of the device.
By contrast to the restricted tactic used by containerization, the non-container
approach allows for a more fluid and seamless user experience on mobile
devices. Companies like AirWatch and MobileIron are the leaders in this
approach, which enables security on mobile device via policy and integrated
apps. This means these systems rely on pushing policy to the native OS to rely
on controlling their mobile devices. They also support multiple integrated apps
(supplied with trusted vendors the MDM companies have partnered with) that
assist with adding an additional layer of security to their data.
Many organizations, including startups and those in retail, lean toward the non-
container approach for mobile management and security due to the speed and
native familiarity that end users already have with their mobile devices -- with
OS-bundled calendaring and mail apps, for example. However, keep in mind, in
order to completely secure all data on mobile devices, the non-container
approach requires the aforementioned tight MDM policy and integrated apps to
enforce the protection of business's data.
Page 37 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Criteria #4: License models
The licensing model for MDMs has changed slightly in recent years. In the past,
there was only a per device license model, which means organizations were
pushed into licensing models that weren't very effective for them financially. Due
to the emergence of tablets and users carrying multiple smartphones, there
became the need to have a license model based off of the user (and not the
individual device). All the MDM products covered in this article today offer
similar, if not identical pricing models. The MDM vendors have all listened to the
call of customers, and realized that end users in this day and age don't always
have one device. Which licensing model -- per-device model and the user-
based model -- an organization chooses all depends on the inventory that a
company has in regards to their mobile devices.
The per-device model normally works well in a small company. In this model,
every user would get a device that would go toward the organization's total
license count. If a user has three devices, all of these would go toward the total
license count that the business owns. These licenses are normally cheaper per
seat, but can quickly become expensive if there are multiple devices requiring
coverage per user.
The user-based pricing model, by contrast, takes into account the need for
users to have multiple devices that all require MDM coverage. With this model,
Page 38 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
the user name is the bases of the license, and he can have multiple devices
attached to his one license. This is the reason many larger organizations lean
toward this model, or at least a hybrid approach of the two licensing models, to
account for users who have multiple mobile devices in use.
MDM criteria #5: Policy management
This is a large and important feature within mobile device management, and
one that needs to be reviewed by an organization selecting the MDM with either
an RFP or something that outlines the details of what type of mobile device
policies it requires. Mobile policies have the ability to let organizations make
granular changes to a mobile device and allow it to limit certain features
(camera, apps, among others), push wireless networks, create VPN tunnels,
whitelist apps and so on to a mobile device. This is the nuts and bolts of MDM,
and a criterion that should be reviewed heavily during the proof of concept stage
with specific vendors.
This ability to push certain features of a policy to mobile devices is certainly
required, as is the ability to wipe devices remotely if the need occurs should
they be lost or stolen. While all the MDM products covered in this article provide
the ability to remotely wipe mobile devices, in the case of Good for Enterprise
and IBM, organizations have the option to wipe mobile devices completely or
just remove the container.
Page 39 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
Also important is for MDM products to include the ability to perform options such
VPN connections, wireless network configurations and certificate installs (which
AirWatch does a great job of). These options need to be asserted in an RFP
beforehand to determine what part of the mobile device policy you're looking to
secure within mobile devices. Evaluating what policy changes can be pushed to
a mobile device, and what functions an organization might want to see within a
policy will help guide it toward making an educated decision on the best mobile
device management products for it.
Most times there will be multiple policies created that allow certain users to
receive a particular policy, while allowing someone with other needs to receive a
completely different MDM policy. This is a standard function within all MDMs,
but it should be understood that a single policy for all users is not always
plausible.
Finding the best mobile device management product for you
There are many vendors in this very saturated market, but following these five
criteria should assist organizations with narrowing the field down to find the best
mobile device management products available today. There is much overlap
between vendors, but finding the right one that secures an organization's data
Page 40 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
completely and allows full coverage with the ability to manage all the aspects
needed in a policy, are what businesses should be aiming for in MDM products.
Many large companies, especially those in the financial or government sector,
are running Good for Enterprise due to the extra layer of security it provides by
leveraging a container and integrated apps developed by vendors they partner
with. IBM Maas 360, on the other hand, offers both a container and non-
container approach to mobile security and management, which makes it
suitable to larger enterprises that require some flexibility in terms of operational
method deployment. This gives IBM Maas 360 the ability to play toward both
sides and gives them some leverage against competitors by being able to
attract customers from both mindsets.
Many midsize companies don't have to meet the level of security imposed by
large financial clients, for example, and thus aren't running toward boosting their
mobile device security. We've seen that many times compliance will bring an
extra layer of required security, however, thereby making these organizations
more conscience at times about securing data on mobile devices. Midsize to
large companies (those outside of the financial sector) tend to run Airwatch or
MobileIron MDM, due to the abilities of these mobile security platforms to keep
the native feel of mobile devices intact while being able to push custom policies
to the clients that secure the mobile devices.
As for the MDM apps and the ability to have them integrated into the offering,
Citrix is performing very well in this area with their Xenmobile Worx apps,
Page 41 of 41
In this e-guide
Introduction to mobile device
management products
Three enterprise scenarios for
MDM products
Six questions to ask before
buying enterprise MDM
products
Comparing the best mobile
device management products
E-guide
having shown that it’s pushing the boundaries within this area. These apps are
selling points to many customers who want to integrate their data onto a mobile
device, but want the flexibility to manage the data these mobile apps are
consuming. By dispensing these approved apps to managed mobile devices
and writing policy for their data to be used on these apps, MDM products such
as Citrix's assist with adding an extra layer of data control for the company and
ease of use for the user.
In conclusion, the MDM market is expanding exponentially each year and
mobile devices have become an indispensable tool for users within a business.
With this continued growth in mobile, organizations need to be able to protect
these mobile devices and the data they hold to make sure that the growth that
they've assisted in doesn't become an organization's downfall.
About the author
Matthew Pascucci is an information security engineer for a large retail company
where he's involved with vulnerability and threat management, security
awareness and daily security operations. He’s written for various information
security publications, has spoken for many industry companies, and is heavily
involved with his local InfraGard chapter. Pascucci covers topics relating to
network security.