Mobile Device Management (MDM), like all technology, constantly evolves and shifts. It can be tough to keep up with the changes as resources can quickly become outdated, even if they come from the developer themselves. Beyond that, there are certain MDM challenges that are just unavoidable but knowing about them ahead of time can help newcomers stay away from conventional traps and manage overall expectations.
In this post, we’ll cover some of the most common MDM challenges and offer expert advice on how to handle them. Let’s get started.
1. Enterprise system integration
If you’re working on selecting an MDM, or you’re learning a new one, it’s important to ask yourself the following questions to avoid common integration pitfalls:
- How does this MDM integrate with my directory service?
- Is this solution a UEM, which supports more than just mobile devices?
- How can I leverage this solution to assist with other security systems already in place?
Remember, not all MDMs are created equal. Some will have setup wizards to make integrations easier for an admin, or they may have established partnerships with big name VPNs, Mobile Threat Defense solutions, Microsoft’s Conditional Access, and others.
If you do not have other security systems in place, it is still worth considering integrations as a factor because all businesses will at least have a directory service to host its user’s. Working through a full SAML connection to bring in your directory may be more than you bargained for if your MDM has not specifically spelled it out for you.
Employees continue to expose their devices to all sorts of security threats, including downloading untrusted apps, having their devices lost or stolen, and accessing risky public Wi-Fi networks. Depending on your industry, sensitive information falling into the wrong hands could have terrible consequences.
Often, we see companies treat a company cell phone as a perk or a benefit. Because of this, they cannot implement higher level security because that would limit the user’s agency. Of course, a device can be locked down to just a few applications, with Wi-Fi access restricted to only trusted access points, and this would be more secure. But for users, removing functionality can be unattractive.
In this scenario, there are compromises to enhance security while still preserving the agency of the user. Some aspects are more agreeable than others; requiring a front-screen passcode, utilization of lost mode / remote wipe, blocking jailbroken devices, OS patching, and implementation of compliance-based alerts to notify admins of certain security-risk events are all obvious options you should take advantage of.
Ultimatly, it’s critical to think of your company smartphones in the same way you think of your computers. Their protection needs to be taken very seriously.
Supervision (or Supervised Mode) is a key component to understanding MDM, and why a migration can be a bigger task than initially thought. Manufacturers like Apple and Samsung (and Google) have free programs dedicated to achieving a higher level of control over devices, a sort of “super admin” status that gives companies better control over their devices. These solutions act like receipt catalogs, flowing devices purchased directly from authorized vendors into your MDM by putting the enrollment right in the initial setup wizard. They unlock perks like:
- Activation Lock removal
- Enforced enrollment
- Preventing the removal of enrollment
- Enforced policy controls
The catch is that the enrollment must occur in the initial setup wizard. So, if you are starting with an MDM for the first time, your previously deployed devices will have to be factory reset or replaced if you want to have full control over those devices. We see a lot of strategies to accomplish this task, including:
- Attrition: Re-enrolling previously enrolled devices is completely optional. In 2-3 years’ time over the natural life cycle of the devices, they will get replaced and the new devices will enroll in the MDM.
- Non-supervised enrollment: Devices can be enrolled with less control without requiring factory reset / replacement.
- Device Refresh: Replace all, or some devices. An opportunity to replace your older devices and migrate at the same time.
- Segmented Used Replacements: The following allows you to purchase a smaller number of devices while still having a like-new upgrade experience.
- Purchase 25 new devices >
- Deploy 25 devices >
- Have those users ship back their old devices >
- Re-image those 25 in house >
- Deploy those 25 used devices >
- Webinars: If a factory reset on their current device is the only option, we recommend completing the process 5-10 users at a time on webinars. This method will save you time from doing them all individually.
Also note that if you’re moving from an old MDM, where all devices are supervised, the process is much easier. The supervised status remains when you remove control from the old MDM – meaning a manual enrollment will retain supervision.
Consider also performing a combination of the above. If you cannot afford the time to formally migrate your devices, at least know the consequences to not doing so. To a certain extent you are saying goodbye to those devices if they are stolen/become Activation Locked – provided they are not supervised by another MDM before migration.
To manage or not to manage, that is the question. Some companies will opt to allow users to conduct business and keep company data on their personal device in lieu of providing a cell phone for business. While we would not recommend this for security reasons, it does pose a challenge from an MDM perspective. Non-supervised enrollment does provide some level of control, but the level of management you might be expecting is not there. BYOD enrollment are mainly for pushing content like applications, email, and Wi-Fi.
You may find some safety in the use of a compliance policy, where we can build an “if-then” statement. On a company owned device, we can put in hardline enforcements and rest easy that our specifications are met no matter what. On a personal device, we cannot apply that level of draconian control. We can instead say – if you do not meet these criteria, then others will be notified (or some other consequence). BYOD compliance controls and their consequences vary by MDM, but they tend to be as follows:
- Is the device jailbroken?
- Is the device up to date?
- Does the device have a front screen passcode?
- Mark the device as non-compliant.
- Annoy the user with a push notification or email.
- Alert the admin, or manager.
- Remove control.
Removing control may seem intense, but it is the main defense should the MDM detect if a device is jailbroken. It can also be leveraged for less risky controls after a certain amount of time (you have been out of date for 30 days and ignored our emails, therefore the MDM un-enrolls itself).
If you are a Microsoft shop, you may be able to leverage BYOD compliance for additional consequences via their service Conditional Access. This does allow you take it a step further and can be integrated with other MDMs. Here is a list of their compliance partners. Microsoft’s Conditional Access allows us to say, “if you are not MDM Compliant, then you cannot have access to any application that is signed in with our companies Azure Active Directory account.”
In other words, if your device does not have a front-screen passcode, or is not up to date, or is jailbroken, then you cannot access company email, or any Microsoft Applications.
On the general, BYOD security measures are re-active rather than preventive – but it may be a consolation prize if your company is opting not to provide company cell phones. We maintain that a cell phone is a computer, and should be protected as such, but this may help you setup some mitigating controls.
5. Company culture
Sometimes when IT implements or proposes a new system, there can be a lot of push back from end-users. We find that clients are mainly concerned with ensuring they do not become 1984-style, iron thumb micro-managers. MDM is not Big Brother. It cannot be used to identify where an end-user navigates, or read their text messages, or spy on them. While there are solutions that can do that, you will not find them in MDM. Indeed, there are some controls that users may find invasive and we’d recommend being transparent about what it can and cannot do so that your intents are understood and accepted.
Invasive actions it can do:
- Locate the device.
- Implement device restrictions and other policy enforcements.
- Identify applications downloaded by the user.
Invasive actions it cannot do:
- Track website data.
- Read text messages.
- Record phone calls.
- Download photos.
MDM has some controls that are restrictive, but it cannot do the most extreme things that people might think it can. Plus, the things it can do are reasonable compromises – especially when you, as a company, also establish that this is a company-owned phone and needs to be protected. We hope that establishing these differences will help you bridge the gap between culture and security.
When it comes to MDM, there is no such thing as a “one-size fits all” approach. Beyond that, you need to understand the various use cases and challenges upfront in order to achieve the best results for business – and we can certainly help you get there.
If you have more questions about MDM or want to inquire about creating a clear, actionable MDM plan that works for your needs, then please don’t hesitate to contact us.