The enterprise mobility management (EMM) suites available on the market today do a fantastic job of managing mobile device compliance and data governance. That is, of course, if there is a policy in place that clearly defines the types of devices that can be used in the enterprise, as well as what each of those devices can and cannot do in relation to applications, content development and access to the corporate network. If an enterprise wants to support only iPhones, for example, there is no problem: It simply sets policies to block other smartphones. If the company wants to quarantine and block a device that has been rooted or is jail-broken, that's easy too: Set a policy so the EMM tool will mark the device as noncompliant and restrict its access.
Typically, EMM suite vendors are very good about keeping their toolkits up to date with mobile device technology advances. For each technological release, however, there could be hundreds of possible restriction options for each device hardware type, operating system or application. For the iPhone, it is a bit more straightforward because there is only one provider. And Microsoft devices are managed mostly like their desktop/laptop counterparts. But in the Android space, there are dozens of hardware vendors, and each includes its own twist on the very popular operating system. For IT departments, trying to manage all of these variations would be impossible if it were not for EMM's ability to automate compliance data governance.
Automated compliance management systems enable enterprise mobility administrators, usually in coordination with the information security team, to establish a set of GRC "rules" that allow the EMM tool to do all the heavy regulatory lifting. An example: Let's say that over the weekend, an employee with a corporately owned device decides to root his or her Android OS to make fairly harmless modifications to the phone's operating system. The company, however, has a policy that doesn't allow rooted (or jail-broken) phones to access the network because doing so could result in a network security breach. If the phone is required to "check in" for authorization before it can access the network, the EMM suite can intercede and restrict the device from accessing the network. Also, a good EMM policy will initiate notifications to the employee, the company's IT mobility administration and possibly even the employee's supervisor.
All these processes can be automated by setting data management rules in the EMM tool. This is a huge timesaver for the IT team. But as mobile technology evolves, the policies must change as well. When new features are introduced to mobile devices, administrators must change the policy that depicts the EMM's data governance rules, and the tool will update all device profiles accordingly. If you're a mobile IT administrator responsible for thousands of devices, you'll no doubt welcome the ability to push a change out once and have the EMM suite do the hard part.
By the same token, as government regulations change, EMM tools make reacting to the new rules easier. For instance, when the Payment Card Industry Data Security Standard (PCI DSS) is updated, enterprises need to implement the new controls and processes on all of its managed devices. This process is much easier when the change is made just once via a big push through EMM policy. Another example is at large healthcare networks, where staff increasingly tracks patient information using handheld devices. As HIPAA regulations evolve, healthcare providers can ensure compliance with the new rules through an automated push through EMM processes.
EMM tools, when used in concert with employee management tools like Active Directory and identity management (IDM) software, are also useful in controlling network access. Too often, an employee will leave a company or be terminated but the employee's network access doesn't get revoked. With a simple change in an IDM solution that is integrated with an EMM suite, the terminating manager can simply revoke mobile access privileges by changing the employee status from "active" to "terminated." The IDM system, in coordination with the EMM suite, will immediately and automatically revoke access by the terminated employee device and can even initiate a remote wipe of the device's data. Again, using automated management processes set to trigger via the EMM tool allows these actions to be taken without intervention by the IT administrators.
Having worked with many IT mobility administrators over the years, I know how daunting it was to manage devices when EMM solutions didn't have automated compliance management capabilities. Now, however, IT staffers can spend their time taking advantage of the business benefits created by enterprise mobility rather than focusing on keeping devices compliant.
About the author:
Bryan Barringer is a technology and business operations expert who specializes in mobility, user adoption, UX/UI design, customer acquisition, product design/management, strategy and business development. Starting at FedEx in 1994, Bryan was tasked with evaluating mobile solutions for operations and sales professionals and went on to become leader of FedEx Services' Office of Mobility and Collaboration before leaving the company in June 2014. He is now an independent enterprise mobility consultant and speaker.