How Does Mobile Device Management (MDM) Work?

This vendor-written tech primer has been edited by Network World to eliminate product promotion, but readers should note it will likely favor the submitter's approach.

Enterprise IT and security teams are stretched thin by the growing number of mobile device types invading the enterprise -- many owned by employees -- the variety of OSs and the sheer volume of mobile apps users are requesting. Questions abound.

How, for example, will IT ensure corporate intellectual property remains intact? Who has responsibility for updating, distributing and securing mobile apps being developed by various departments and/or geographic divisions? How do enterprises gain an acceptable balance of security and corporate resource-access across all of the leading mobile platforms (Android, BlackBerry, iOS and Windows Phone)?

CLEAR CHOICE TEST: How to protect smartphones and tablets

GARTNER: How to get a handle on mobile device management

Organizations seeking to address these issues are increasingly turning to mobile device management (MDM) software. The MDM market is evolving rapidly, meaning vendors that previously had first-mover advantage have had to evolve to support new platforms and the enterprise's shifting needs. In addition, new disrupters have tried to enter the MDM space with repurposed product, primarily from adjacent markets such as mobile services management (MSM), mobile security (endpoint/VPN), and telecom expense management (TEM).

Regardless of its origin, the complete MDM solution should address the complete enterprise mobile security, device, data and app life cycles.

Securing enterprise mobility with MDM typically involves four primary phases. Phase 1 focuses on provisioning, during which devices "inherit" an enterprise persona, as determined by the mobile IT and security staff in charge of enterprise mobility. This phase includes leveraging all existing corporate network infrastructure to help avoid resource complexity and duplication.

Many of the devices being provisioned are personally owned mobile devices that are also used for business apps. This bring-your-own-device (BYOD) trend is one of the more dramatic results of the consumerization of IT, in which consumer preference, not corporate initiative, drives the adoption of technologies in the enterprise.A

Mobile IT has increasingly allowed BYOD to drive employee satisfaction and productivity through the use of new technologies, while simultaneously reducing mobile expenses. However, many newer smartphones, tablets, and their apps were not built with enterprise requirements in mind, so IT teams often feel uncomfortable about security and supportability. [Also see: "Can employee-owned devoices save companies money?"]

BYOD has many complex and hidden implications, such as the need for privacy policy, separate policies for corporate vs. personal devices, and certificate-based identity, for which a strategy needs to be defined in advance of implementation. For example, MDM software ideally uses an enterprise's existing certificate authority to secure the device, thus leveraging security and network investments IT has already made. In fact, the MDM software can serve as the centralized certificate authority server for corporate resources, including ActiveSync (email access).

Phase 2 involves the mobile IT team actively managing all devices -- phones, tablets, iPod Touches, etc. -- to help ensure the original enterprise persona remains intact. At this point, users are given wide-ranging access to corporate resources, including apps, email, secure directories and even cloud-based file storage. Ideally, the mobile IT team has also published a corresponding "declaration" to its mobile users, outlining what is permissible (e.g., using your device for non-business gaming) and what is not (e.g., downloading a virus-laden open-source game).

When new devices are added to the enterprise, the existing persona is literally imprinted via MDM software before the device can gain access to corporate resources. MDM controls different levels of business permissions, including those derived from LDAP and Active Directory, so that rules and policies are granularly defined based on an employee's role, division or seniority. For example, a company implements different security policies for senior executives in finance than it does for entry-level sales staffers.

Lastly, with the growing use of open source apps and operating systems, mobile IT can easily deny access to the corporate network based on the security posture of the device, denying network access to compromised (jailbroken or rooted) devices, app permissions (including whitelist and blacklist) and policy sharing, so new mobile apps have enterprise permissions "pre-baked" before deployment.

In Phase 3 mobile IT is now responsible for managing mobile apps for business users. In this phase, mobile IT management must address a nearly infinite variety of apps, devices, personas and operating systems. MDM helps solve this complex set of issues, including the ability to deliver a private, company-specific enterprise app storefront. This corporate application library is discoverable and provides both the tightest security and best end-user experience for the distribution, inventory and delivery of mobile applications companywide.

Last, Phase 4 of the continuous MDM software life cycle has users limiting their costly mobile service plan overages with the help of MDM software application programming interfaces (APIs) designed to detect and reduce international plan overages. Of the millions of the Fortune 1000 enterprise users depending on MDM software, a majority of them experience international plan overages measured by $10,000 or more per month.

Of course, when the user leaves the company, the mobile IT group uses MDM to simply remove the enterprise, personal and all accompanying permissions to protect their intellectual property. MDM software accomplishes this task on employee devices (BYOD) by means of a selective wipe, ensuring that no pictures, music or other non-work files are removed. For corporate-liable devices, MDM software offers a complete wipe and device "retirement" before it can be re-enabled for a new user.

MDM software has clearly become an indispensable tool for mobile IT as all of these enterprise devices undergo rapid consumerization. In closing, the recent Forrester "Consumerization Drives Smartphone Proliferation" report validates three MDM trends:

1. Consumerization is the dominant force in smartphone selection. Seventy-seven percent of smartphones used at work are chosen by an employee, and 48% are chosen without regard for IT support. That means only 23% of the smartphones used at work in the U.S. are delivered as a take-it or-leave-it device by IT. And three-fifths of that 23% are BlackBerries.

2. Consumerization means choice, which means Apple and Android devices. RIM still has a plurality of smartphones in U.S. companies and organizations with 42% of the installed base. But together, Android (26%) and Apple (22%) have a bigger slice of the workforce market than does RIM. The force of consumerization becomes even clearer when you see that when people choose their own phone, 59% choose Android or Apple while 25% select BlackBerry. [Also see: "Mobile device management: Apple's extra little tricky requirement"]

3. Consumerization also means that employees are willing to share the cost burden. Employees pay all (48%) or some (9%) of the cost of the smartphone they use for work. They also pay all (40%) or some (14%) of the cost of the monthly bill. While there is no guarantee that every employee wants one phone for both work and personal use, it's clear from the data that a majority of U.S. information workers today are willing to share the cost and the benefit of a smartphone used at both home and work.

Enterprise IT and security teams ultimately need MDM software to keep secure pace with the growing complexity of device types, OS options and sheer velocity of mobile apps in their user's hands.

MobileIron's purpose-built MDM software provides global companies with a highly scalable solution for mobile device management, security and enterprise app storefronts and was positioned in the Leaders Quadrant of Gartner's Magic Quadrant for Mobile Device Management.

Read more about wide area network in Network World's Wide Area Network section.

Copyright © 2012 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)