tiero - Fotolia


MDM policy helps protect information, mitigate security risk

Enterprise mobility expert Bryan Barringer discusses the evolution of mobile device management and the data security benefits of MDM policy development.

Mobile device management has been around for a few decades, but only in the smartphone age has it become a vital tool for IT teams to manage what can and cannot be done with mobile devices in the corporate setting. Until a couple of years ago, mobile device operating systems didn't provide enterprise IT administrators with much real control to govern devices. Today, however, mobile device management (MDM) tools are keeping pace with evolving mobile operating systems and providing enterprises with controls necessary to govern mobility.

But what does an MDM system actually do? The best way to explain it is to first look at operating systems. Apple iOS, Android and Windows Mobile all have what are called application programming interfaces (APIs). Without going into technical detail, the best way to describe APIs is to give you an example: Let's say you are using the Facebook mobile application on your iPhone 6. One feature of the application is the capability to upload or post a photo from your phone's image gallery or any picture taken with your phone's camera. The Facebook application will "call" upon the Image Gallery API to access the library of images available on the phone, and upload them to the Facebook servers so that your friends can see the photos.

What does this have to do with MDM? Well, just like the Facebook application interfacing with the phone's resident APIs, enterprise MDM interacts with APIs on mobile devices.

For example, let's say that your enterprise has an MDM system in place. Employees have an application that can create observation reports, but you don't want the application to interact with an employee's phone's native image gallery. Additionally, you decide that it's OK for the device's camera to be used for the report, but the images can be stored only in an encrypted and secured location on the phone. You would implement those controls by setting up a policy in the MDM system.

One pixel Mobile device provisioning: Specific features
to seek out

Under this example, the policy would instruct the phone to allow or disallow certain of its features when operating under the enterprise-managed application.

To elaborate, the enterprise MDM policy does not directly restrict the use of the image gallery or the camera; it instructs the phone to take that action. This is very important to understand: MDM is an instruction control system; it cannot reach into the phone's operating system and restrict features. In the example above, the MDM policy restricts the image gallery and image storage feature for an enterprise-managed application. The policy instructs the phone's operating system to restrict the use of the specific APIs, or instructs the APIs to be used in a certain way.

Today's mobile device operating systems have thousands of APIs that can be controlled in different ways. All IT needs to do is establish a policy that "instructs" what type of user behavior is approved when using a phone. This policy would basically comprise a set of rules an MDM administrator creates in the admin console. Policies are then "assigned" to certain device types or even user types.

Another real-world example involves restrictions placed on devices used by executives as opposed to front-line staff team members. Executives typically have access to networked content servers that most others in the company do not. Therefore, the MDM administrator will create a policy that can be tied to an Active Directory group that allows only the users within that group access to certain network drives. In this case, the executive team would be part of the group and therefore would be allowed access to these network drives via their MDM-managed smartphone. Conversely, BYOD users on the front line would not have access to these drives based on their group membership and the company's MDM policies.

These are just a couple of examples of how important MDM is to governing appropriate and restricted use of mobile devices. Here are some other important ones you can include in your MDM policy:

Examples of MDM in governing appropriate use of mobile devices

Device type, OS and version controls. The MDM policy can restrict access to phones that don't meet certain criteria. For example, because iOS version 7 is significantly more enterprise-ready than version 6, an MDM policy can be tailored to disallow iPhones without iOS 7 installed access to corporate assets and networks.

Jailbroken or rooted. Android and iOS systems can be jailbroken or rooted; that is, each can be altered by an end user to bypass security controls native to the device. The MDM policy should state that if these alterations are discovered by a device accessing corporate information, the device will be immediately denied access and could even be remotely wiped. Without an MDM policy, the IT administrator may never be aware of employees using altered devices that could obtain unfettered access to restricted enterprise data.

Encryption and security. Many end users do not use screen locks or password-controlled entry to their personal device. However, with BYOD, the enterprise can enforce such controls to ensure security of sensitive content. The MDM policy can apply controls to the device, including requiring a screen lock or certain password restrictions (e.g., eight-character alphanumeric, simple/complex, etc.). Also, an MDM policy can enforce device encryption.

Application controls. Many applications are harmless but some are not nearly so innocent. The MDM policy can both blacklist and whitelist applications. In recent months, Google announced that there were a few Android applications in the Google Play Store having a small piece of embedded malware. An MDM policy would blacklist these apps so that if a device has one of them on board, access to the corporate network is denied. Once the application is removed from the device, access is restored by the MDM compliance check.

The ways in which an MDM policy can assist mobile data governance are almost countless, and enterprises can pick and choose which aspects best suit their needs. In my professional opinion, there is no way an enterprise can benefit from mobility without having such a policy in place.

About the author:
Bryan Barringer is a technology and business operations expert who specializes in mobility, user adoption, UX/UI design, customer acquisition, product design/management, strategy and business development. Starting at FedEx in 1994, Bryan was tasked with evaluating mobile solutions for operations and sales professionals and went on to become leader of FedEx Services' Office of Mobility and Collaboration before leaving the company in June 2014. He is now an independent enterprise mobility consultant and speaker.

Next Steps

How to choose the best MDM tools for your business

Three scenarios highlight the benefits of MDM products

Mobile information governance requires more than just MDM

Dig Deeper on Content management software and compliance