As portable “smart” devices become more powerful over time, and more businesses are employing mobile-based enterprise applications for company use, the management of these devices is paramount. Mobile Data Management tools can create the infrastructure needed to ensure both security and efficiency for employees who use these devices and help decrease the ever-growing burden on company IT departments.
Many considerations need to be taken into account when choosing the appropriate MDM solution for a particular business; mainly regarding how much control is needed over employee devices. Though most of the popular MDM tools currently in use provide a wide variety of options and levels of control, deciding on an approach will guide your company into choosing a solution that balances features and cost.
In this article, we will focus on solutions that can be deployed in BYOD (bring your own device) environments as well as its opposite, and ones that use a SaaS (software as a service) model as opposed to a more hardware dependant solution. Although many larger companies are moving towards these two approaches, we believe these models are particularly relevant to the considerations of most small and medium-sized businesses.
Although distributing apps that may not ever appear on Google Play is simple for Android devices, bypassing the Apple App Store is a bit more involved. If your company makes apps that will eventually be distributed via the App Store (i.e.: you have access to a paid Apple Developer account), utilities such as TestFlight can be used for free to distribute your apps wirelessly to your employees until they are fully developed.
Otherwise, apps must be “sideloaded” onto devices via USB using XCode or programs such as Cydia Impactor (handy if you don’t have a Mac); again, with an Apple Developer (or Apple Enterprise Developer) account. This involves some tooling of the devices themselves to trust developer certificates from your company (as well as dealing with the certificates themselves), and although Impactor can help simplify this procedure, it is still a bit messy.
Mobile Data Management tools can facilitate this deployment, most often wirelessly, and also allow you to configure the device itself, eliminating the need to have the user deal with manually trusting certificates for company apps (trickier than it sounds, for iOS devices).
Configuration and Restriction:
In addition to configuring a device to make use of company apps as described above, MDM tools allow you to make many other modifications to devices as well. Some very simple configuration changes can greatly reduce the chances of corporate data being shared, where the security of such data is important. You can easily configure a device, for example, to require unlocking via a pin or passcode, and force it to lock after a given interval, reducing the chance of data being read off of someone’s device if left unattended.
For MDM solutions that can interact with devices remotely, the devices can be tracked and their use monitored. Most MDM tools will let you know if a device has been rooted or “jailbroken” as this practice can be used to bypass restrictions and compromise a device’s security. A device can also be easily “wiped” if compromised or lost, to ensure that your company’s data remains secure.
Other restrictions on company devices can be applied: certain apps or websites can be “whitelisted” (allowed) or “blacklisted” (restricted) to ensure standards and productivity, devices can be locked to a particular secure network or VPN, device features such as cameras and Bluetooth connectivity can be disabled, and devices can even be “geofenced” to ensure they will not unlock outside of a particular area to discourage them from leaving the business environment (obviously, not to be done in a BYOD environment).
Apple Configurator and Apple Server Profile Manager:
Apple has a couple of free utilities that can be used as MDM solutions, though each is limited.
The first, called Apple Configurator, can create profiles and deploy custom apps as described above, but only through a physical connection (Lightning to USB). This will limit the ability to mass-configure large amounts of devices without additional hardware (high-capacity USB hubs), as well as limiting any activity that would normally done remotely (i.e.: wiping a lost or stolen device). However, this can be an effective and simple solution for devices that will be used as stand-alone appliances and only need to be configured once and be updated rarely (point-of-sale systems, for example).
If your company has an Apple Server, the Profile Manager utility (included on Lion Server and above) can be used to wirelessly perform the same functions as Apple Configurator, with much better support for mass-deployment of enterprise apps, and the ability to configure and wipe devices remotely. Both utilities can only be used with iOS devices (although Profile Manager can be used to configure macOS devices as well).
Google’s G Suite Administrator:
Google’s MDM solution is bundled with G Suite (formally Google Apps for Work), so the added service is free if you’re already using Google Apps in your business environment. Though not as full-featured as some of the other options we will discuss, it nevertheless has some interesting options that are unique to the MDM world.
For Android devices, for example, a separate “work” profile can be created on an employee’s personal device, allowing corporate data to be stored separately on the device and not have it interact with personal data (particularly in BYOD environments). This is a unique way of dealing with the issue of “containerization”. An older (but still used) approach was to have all corporate data to be stored within an app, that could be easily wiped if the device was compromised or needed to be detached from the corporate environment. However, data could not be transferred outside of the app, often meaning that apps had to contain e-mail and browser capabilities. This forces employees to use these non-native solutions which was seen to decrease productivity because of unfamiliarity and difficulty of use.
As part of G Suite, the Administrator tools and modifications fully integrate with the rest of the suite, allowing employees to use familiar apps such as Chrome, G-mail, Docs, Sheets, Hangouts, etc., and providing a native user experience. And because of the ability to create these separate “profiles”, users can use virtually any app without fear of the data being inadvertently shared.
Another feature that I have yet to see from another MDM solution, is the Google Admin app (for Android devices), allowing you to manage your employees’ registered devices from a mobile device.
This solution does have some limitations, however, as alluded to above. The most features are available when administrating Android devices, iOS devices have a good amount of control (including a “Basic Mobile Management“ option, that gives you most of the features without dealing with certificates), but there is only limited control over BlackBerry and Windows mobile devices.
From Microsoft, Intune is a full-featured solution that allows configuration and management of not only Windows, Android, and iOS mobile devices but Windows and macOS machines as well. As with Google’s G Suite Administrator above, Intune can be used easily with Office 360 products for documents and e-mail, but the products are separate offerings and licenses will need to be purchased separately. This may be a good solution, however, if your company already makes heavy use of Office 360, and other Microsoft Business products such as Skype for Business and SharePoint Online.
AppTec’s Enterprise Mobile Manager is based in Switzerland and is the last free (for up to 25 devices) MDM / EMM solution on our list. It is full-featured and allows configuration and management of Windows and macOS machines, and Android, iOS, and Windows mobile devices. It is currently used by many large international companies.
Acquired by VMware in 2014 for over $1.18 billion, AirWatch must be mentioned here as the most popular solution in the industry today. It is also the widest reaching: allowing configuration and management of Windows, macOS, and CromeOS machines; iOS, Android, Windows Mobile, BlackBerry, Symbian, and Tizen devices; Apple TV devices; and “ruggedized” devices (with the acquisition of Motorola Solution’s Mobility Services Platform). AirWatch also makes use of several brands of “integrated apps”, allowing a choice of secure apps (for e-mail and other functions) for users to choose from to maintain productivity.
Many other major companies offer their own (paid) MDM solutions as well. Some include: IBM’s MaaS360 (previously owned by FibreLink) and Good for Enterprise, which can be used with (or without) the aforementioned “containerized” approach; MobileIron EMM; Citrix’s XenMobile (that has some well-liked “integrated” apps); BlackBerry Enterprise Service 12 (or BES 12, which manages more than just BlackBerry devices); Cisco’s Meraki Systems Manager; and offering’s by other well-known IT security firms such as McAfee and Symantic just to name a few.
Another consideration when choosing between all these solutions is, of course, pricing. Though we have mentioned some free (or close to free) solutions, larger companies may find the benefits (such as 24/7 support) offered by the other companies to be necessary for their operations and IT departments. Most are subscription-based offerings, using either a per-device or per-user monthly or yearly fee as a starting point (though most will customize their prices according to an individual company’s needs).
All of the listed MDM solutions give a limited (14 or 30-day) trial, so you can try out a few different solutions to find a product that suits your needs and an interface that you find easy to use (an important consideration). But adding any Mobile Management to your company is a great way to manage security concerns while maintaining productivity for your smart-device savvy workforce.