MDM “Mobile Device Management” is nothing really new to the Corporate World, the world of the Corporate workplace is all based on a balancing act between those that are security conscious managing data, the risk of corporate exposure and the ability to meet new ways of working that are more closely aligned to a flexible work place.
With the current advancements in technology, advances in the mobility and client computing technology is extending from the home into work place, educational establishments even Governments are embracing change; this is evidenced by the UK Central Government cloud computing G-Cloud strategy to provide computing resources to users as needed.
Following this example from UK Government, we conclude that Public Sector IT infrastructure has grown over decades to try and meet the demands of its users. This approach has resulted in increasingly costly infrastructure, which has hindered both public and private sector organisations ability to modernise and exploit new approaches to ICT.
Typical problems Organisations are facing make it difficult to:
- Achieve Large Economies of scale
- Lengthy Contractual commitments with inflexible providers
- Reliance on Capital Funding and locked in terms
- Deliver flexible IT Systems that are responsive to demand both Business Change and User Demand
- Take advantage of new technologies to deliver faster business benefits
- Meet environmental and sustainability targets
- Procure in a way that encourages a dynamic and responsive supplier marketplace and emerging suppliers
There are many acronyms floating about on the internet that are used to describe MDM, let’s define the basic definition of the service. EMM “Enterprise Mobility Management” suites help organisations integrate those hard to manage mobile devices into their security frameworks and systems and lifecycles, there are mainly four categories within the EMM suite:
Mobile Devices Management “MDM”
The platform lifecycle management technology that provides inventory, configuration management, application provisioning, remote wipe for MDM profiles installed on the device.
Mobile Application Management “MAM”
MAM applies to the management and policy control functionality to individual applications, such as controlling which applications can be installed or advertised from a Company Application Store.
Mobile Identity tools ensure that only trusted devices and users are able to access enterprise applications. Capabilities include secure authentication, single sign on, multi-factor authentication, code signing certificates for devices and applications.
Mobile Content Management (MCM)
MCM enables users to access content from their mobile devices, this includes Content Access, Content Push, File Level Protection, Copy\Paste and Sharing restrictions. MCM often fits into a wider corporate strategy such as DLP “Data Loss Policies” and Rights Management Policies that can restrict content from being accessed, emailed or copied by unauthorised users and devices.
Now we have established a basic definition, let’s take a look at the basic myths around EMM.
Mobile Device Management and EMM Enterprise Mobility Management (suites) are not considered by many organisations as big agenda items as they are seen as a way of extending business communications.
How-ever this is far from reality, the consumerisation of smart devices “Phones\Tablets” and the capabilities of these have grown to such an extent that they are as power-full and as capable of processing and storing large volumes of business data as any Business Desktop or Laptop.
For many organisations this possess a new wave of potential threats that need to be closely managed and evaluated on a regular basis as mobile platform device capabilities continues to grow in line with unprecedented consumer demand.
What is Device Mobility to your Organisation?
What mobility is to one Organisation can often mean something else to another organisation, for example: would you include the management of a Laptop, Tablet, Desktop or Mobile device into your Mobility strategy? These questions should be considered early in developing your strategy.
Typical Scenario’s to consider:
- Users want to use their own devices such as Tablets, Phones and Laptops, Desktops in the Work Place.
- Company Owned Devices that infrequently access the company network
After you understand the typical use-age scenarios that are relevant to your organisation, you are in a position to start your discovery process by gathering your business requirements that will be used in the selection of a EMM solution.
Let’s look at a sample of the typical Business, Technical and Support requirements:
Regulatory requirements for the safeguarding of Company Data and Personal Information will be a major influencing factor in choosing the correct solution.
A review of company policies is often a great starting point, policies that are written for static company owned devices may not be fit for purpose when considering BYOD and device mobility, agreeing what these policies should be will save a lot of time later. However the key focus should be around being agile, regularly reviewing policies and remembering that protecting the data from loss is the key consideration, this key message does not change regardless of who owns the device, remember mobile devices are now commodity items and can be quickly and cheaply replaced.
Commonly the below items should also be considered:
- Do we need to prevent users from keeping data on personal devices?
- Is Authentication with company credentials a requirement
- Is authentication on to the device, or between applications
- Data on the device should be encrypted
- Access to applications should be controlled for Corporately owned Devices
- Security Compliance should be enforced and deviations should be monitored
- Device backups should be encrypted
- Policies should be applied to sets of users and devices.
- Are devices required to be automatically enrolled?
- The solution should provide the management of “device types and business use-age scenarios”
- Company Wifi credentials should be managed
- For Corporate devices Internet Use-age should adhere to company policies
- Are internal Applications required when outside of the corporate environment?
- Copy\Paste functions should be disabled between personal and corporate applications
- Should users have the ability to manage or override company settings
The technical requirements are often the most challenging to comply with and can cause a poorly planned EMM project to quickly deviate, when initially planning the project consider items such as:
Do you require a managed web browsing experience to gaining access to internal applications?
Do you have any policies in placing to stop users subscribing phones? e.g. ADFS\CAP policies are one example that you may have deployed with Microsoft Office365, to limit access from office locations.
For most companies the ability to manage the user experience by making sure explicit content is not allowed and access to company applications is major concern, let’s look at a few of the options:
Telephony Vendor Solutions – Providers often have solutions that are available at an additional charge, they can range from simple filtering of web use-age to fully managed VPN solutions.
Always On VPN is another option that could be hosted by a third party, as a cloud service or as on premise solution to manage the browsing content and for access to internal data and applications.
If managing the browsing experience is not a major concern, there are easier ways to expose your company’s HTTPs internal applications safely onto the internet:
Azure Remote Application Proxy, is a very secure method of exposing an internal HTTPS application onto the internet.
Alternative methods could include, on demand VPN or even consider re-platforming the application to a hosted service such as Microsoft Azure or Amazon AWS.
For most organisations the support of Laptops\Desktops is very clear, however as the proliferation of mobile and BYOD devices come into the workplace the capability of the existing support services need to be re-evaluated and new processes created to support the below scenarios:
- Additional Support request
- Service Level Agreements
- Password Resets
- Out of Hours support
- Authentication Issues
- Lost\Stolen Process
- Starters and Leavers
- Device Replacement
- Are there any procurement programs that can simplify enrolment processes?
- How will need applications be managed, authorised, reviewed and retire.
This article has been created by Steve Harper of SystemsUp.co.uk, this article is an introduction into the World of planning key concepts for Microsoft Intune.