The 5 Keys To MDM

KeysMobile devices can be a real pain.  They may have been brought in by the user through BYOD, with the organization having little control over them. And even where the organization has provided them, users have a propensity for losing the devices on a pretty regular basis.  Topping it all off is the ease with which users can download apps for their own use — and then expect that these non-enterprise apps will work in their enterprise environment.

What steps can be taken to give a degree of enterprise control over what is essentially a consumer device? Some of the following can be used in combination; some stand-alone:

1) Centralize everything.  Server-based computing means that not only the desktop but all the applications and data can be held by the organization — not by the user on the device.  As everything has to go through the center, other tools such as data leak prevention (DLP) and VPNs can be implemented for additional security.  Sure, it means that a good online connection is needed, but is a solution, turning the device into a lump of silicon, metals, and plastics used just as a window on the enterprise world.

2) Sandbox wherever possible.  Using a sandbox on the device gives greater granular control over data use.  For example, the user may be prevented from cutting and pasting data, or forwarding emails. Sandboxing also means that even if the user trawls through every rogue web site on the planet and ends up with a massively infected device, the worms, Trojans and other malware cannot pass through the walls of the sandbox, keeping the organization clean.

3) Encrypt.  Encrypt data on the move and at rest, so that even if data does manage to get out from the centralized system and the sandbox, it is just a random collection of 1s and 0s that will need a load of compute power thrown at to try to read.  Encryption of data on the move is just as important to stop man-in-the-middle attacks and someone taking the data in transit.

4) Offer enterprise quality apps.  Users are a little like magpies — they see something shiny and want it, immediately.  App stores are full of shiny stuff.  If you look at a user’s device, it will typically have tens to hundreds of apps on it, many of which have been paid for, most of which are unused after the first two or three times.  Some will, however, endure — identify these, find enterprise-quality apps that give equivalent or better functionality with equal or better ease-of-use, and make them available to the users directly via a corporate portal.  Make it known that the other apps are non-preferred — and that any data loss caused through the use of non-preferred apps will be a disciplinary issue. Apps will result in the use of the device as more than a window on the world, so make sure that the apps do give good levels of security and central manageability.

5) Use secure streaming.   An alternative to using device-specific apps, secure application streaming from a company such as Numecent means that standard enterprise applications can be rapidly, effectively, and securely run natively on the mobile device without any major changes to the application.  The device’s own compute power can be directly harnessed and data can be temporarily stored on the device in a non-persistent manner so that the user gets the benefits of local compute speed, rather than everything happening over the mobile or WiFi network.

The one thing that you may have noticed here is that although this piece is nominally about mobile device management, there has been no mention of MDM tools.  Unfortunately, MDM tools as a means of controlling enterprise data tend not to work, as you need to have a degree of control over the device that the user may not want you to have.  Therefore, by following the five tips above, you could provide a data management environment that has no need for a device management component.

And that is how it should be — the device may be worth a few hundred dollars, and managing the data effectively will always leave the device as being worth that much.  Trying to apply rules and controls over data that is stored persistently on the device means that the device could be worth millions or even billions of dollars in the wrong hands — if they can get to the data held on it.

Image credit: Taki Steve (flickr) – CC-BY-2.0

  • Richard Milton

    There is an even simpler solution. Give your employees (or tell them to get) Windows Phones. Only professional quality apps are available and there is no malware in the app store. So you don’t need a sandbox or encryption. All these points are really aimed at Android users. Solution – don’t use Android.

    Richard Milton
    Editor, Windows Phone News

  • Clive Longbottom

    A rather blinkered view, unfortunately, Richard. The whole idea of BYOD is that users choose the device they want – and the figures show that as yet WP is not high on their list. An embracing view has to accept that iOS, Android, Blackberry, WP and whatever else comes down the line will need dealing with – and the above tries to give a platform for a flexible approach. Prescribing WP is no better than the earlier prescription of Nokia 6310 phones, or Dell laptops, or enforcing teh wearing of white shirts…