Mobile devices like smartphones and tablets that are used to access work email, calendar, contacts, and documents play a big part in making sure that employees get their work done anytime, from anywhere. So it’s critical that you help protect your organization’s information when people use devices. You can use a Mobile Device Management (MDM) solution to help meet this requirement. An MDM solution delivers a service that allows an organisation to remotely control, monitor and enforce policies on employee mobile devices, and can even wipe mobile devices if they’re lost or stolen.

Do I really need an MDM solution?

When considering if you need to invest in an MDM solution for your organisation, some of the questions you might want to ask include:

  • Is the organisation supplying work phones for its staff, or is it following a Bring Your Own Device (BYOD) approach? If the organisation is supplying the phones then you can control how they are initially setup. So this means you might be able to take an approach of ensuring the phones are secured with a PIN, are encrypted and that the phone’s built-in ‘remote wipe’ facility is enabled. If you combine such an approach with an appropriate Smart Phone use policy, then that may be enough ‘management’ to ensure your organisations data is suitably protected.
    • Apple Find My App – How to find or erase lost Apple devices
    • Find My Device – Find, lock, or erase a lost Android device
    • Find My Mobile – Find, lock or erase Samsung Smart Phones
  • How many smart phones will be used in the organisation? If there are only 2 or 3 smart phones being used in your organisation then you may be able to ‘manage’ these manually, especially if they are supplied by the organisation. Such an approach might even work in a BYOD situation if the staff members concerned are happy to give someone access to their phones to turn on the required security features. Once again you will need to combine this with an appropriately worded Smart Phone use policy.
  • Can you ensure that your staff cannot access the organisation’s services or data if they have not been authorised to do so? Do you have services or data that can be accessed by staff members remotely using standard smart phone apps, for example a web based e-mail system? If so, then putting in place an MDM solution that can prevent such access without a smart phone first being enrolled and managed is important. While you may have a Smart Phone use policy that prohibits such access, how do you guarantee that no users are breaking that policy and accessing work e-mails with an app on their personal, unmanaged smart phone? This question shows that you should not just be considering mobile device management in isolation, but in conjunction with how your data is stored and accessed in general. If your e-mail is web based and can be accessed from anywhere, what security do you have in place to ensure only authorised users can gain access. Can you find a solution that offers both better protection for data being accessed remotely, and for the use of smart phones within your organisation?

Maybe the ultimate question to ask yourself is ‘Where would the organisation stand if a user reported that they had lost their mobile phone and that they had been using it for work?’ And would you then be wishing you had put an MDM solution in place?

What do I need my MDM solution to do?

There isn’t a one size fits all solution for MDM solutions. You don’t want to be paying for features that you don’t need or working with a solution that is just too complex for your requirements. Have a good think about the key functions you require and select an MDM that meets those needs. For example:

  • Self-service Enrolment – Do you need a solution that lets your users easily enrol their devices themselves? If you are pursuing a BYOD approach than self-service enrolment is something that you will probably want, but if the organisation is supplying the phones then this will be less important. However, if you are rolling out a large number of phones, then some sort of self-service or automated enrolment process will probably still be important to you.
  • Just a simple policy and wipe approach – Will an MDM that just allows you to set a simple policy, such as requiring a PIN and encryption, and that lets you wipe a device if it is lost be good enough for your organisation? Once again, if the phones are supplied by the organisation then this might be good enough, but BYOD scenarios will probably require more control.
  • Conditional Access – Do you want to block access from phones that don’t meet certain requirements, for example if a phone has been jailbroken or if it is running certain apps that could put your data at risk. Some MDM solutions will be able to monitor and check phone configuration and block access if they don’t meet your security requirements.
  • Deploy and manage applications – If you are managing a lot of phones then having the ability to manage the applications on them, as well as deploy new applications in the future may be a feature that is attractive to your organisation.
  • Phone Type – Are you managing Apple or Android phones? If the organisation supplies the phones then you’ll be able to select an MDM that works for just your chosen platform (phone type). If you are going with BYOD then you’ll need a MDM that can support both.
  • Reporting – Do you have a dedicated IT department that can check reports about the status of your phones every day, or do you just want to get an e-mail alert when there significant problem with a phone, and a basic overall health report you can check every month? You don’t want to be paying for in-depth reporting features if you’re never going to use or understand them.

What else should I consider when selecting an MDM solution?

  • How easy is it to manage the MDM solution itself? – For most organisations a web based service that is run and maintained by the vendor is the best approach. That means that all you have to do is log in and use it. You don’t want the additional worry about whether your MDM solution is running and fully up to date. However, that isn’t to say that certain organisations with particular needs or circumstances might consider a solution they host and run themselves within their own IT department.
  • How does the MDM solution manage the device? – If your chosen MDM solution uses a separate agent or app running on the phone to manage it, then this can bring additional problems with keeping that agent up to date. An MDM solution that uses a phone’s own built in management features will tend to be simpler, more reliable and more secure.
  • App store integration – If you are going to be managing and deploying apps with your MDM solution then having one that hooks into the phone’s own app store will once again provide a simpler, more reliable and secure solution than one which does not. You will also want to make sure that any apps deployed to your phones are being automatically updated, as you would expect of any app you install from the phones own public app store.

Where can I get more information about using Smart Phones for work and MDM?

The UK’s National Cyber Security Centre (NCSC) has produced extensive guidance on Mobile Devices, and Mobile Device Management in particular. This guidance provides an excellent overview of the topics, along with links to more in-depth advice on specific platform types (e.g. Android, Apple, Windows).

  1. NCSC Mobile Device Guidance
  2. NCSC Mobile Device Management Advice