Manage the risks and seize the opportunities of BYOD

How MDM can help

Photo of Ubuntu running on tablets and smartphones

Many companies understand the obvious aspects of BYOD (bring your own device) and mobile device management (MDM). Employees work on the devices that they like and use and share data seamlessly, whether that data is personal or business.

Mobile devices nowadays can do so much more than texting and sending emails. They can provide real company value with business apps that increase productivity. One of the keys to a successful BYOD policy is the right MDM solution.

Having worked as a messaging engineer for a multibillion-dollar global enterprise, BYOD and the use of mobile devices to access company data is something I am all too familiar with.

I have been asked countless times how I feel about BYOD and my answer has always been: "With the correct MDM solution BYOD can provide value not only for the users but for the business as well."

Locks and bolts

Our job in IT is to protect the company’s data and assets while providing users with the solutions and technology they need to be successful in their jobs.

Enterprises both big and small need to protect their data. Security is big factor and anybody that has mobile devices should have some sort of MDM solution, even if you have BYOD that provides at least a very basic level of protection.

IT departments are often required to enforce policies and standards to comply with any business regulations such as HIPAA and SOX. Having standards also makes it easier to manage a wide range of devices.

The balance between providing ease of access yet complying with regulation and standards can be achieved by using an MDM solution.

Solutions such as MobileIron, McAfee's EMM and Good Technology’s mobile device management software all provide strong security mechanisms that push standards down to devices.

MDM software enables devices to be locked down. A good example is the prevention of backups of corporate data made by end-users.

If backups of devices are not controlled there is the possibility that once employees leave the company they can restore company data on their devices from previous backup. Preventing the backup or at least controlling where it resides provides added security.

Other examples of important MDM capabilities are prevention of automated backups by systems administrators, restoring corporate data from backups, the sharing of corporate data across apps or of taking screen captures.

Seen in profile

MDM profiles can also be implemented to configure corporate Wi-Fi settings with any required certificates; control access to the microphone and camera; prevent the sending of corporate mail through third-party software; disable screen captures; and enforcing the requirement to have a password to unlock the device.

These profiles can provide a level of consistency through the various device models that connect to the network, making it easier to manage.

With the rise of the mobile workforce, providing secure access methods is key. Pre-configured secure VPN settings deployed through a MDM policy would allow users to access network drives and internal applications.

Providing secure VPN access through mobile devices is a huge bonus, allowing users to be more productive while on the go.

Similar policies to those that are enforced on desktops in the enterprise can also be enforced on mobile devices.

For example, the same screensaver timeout that locks your desktop when you walk away can be applied to mobile devices using MDM, obliging you to use a password to unlock the phone.

This type of manageability gives IT departments the same degree of control as they have on desktops, applied to a range of non-corporate devices of all different flavours.

This time it's personal

One of the biggest factors that comes to mind for most enterprises when choosing an MDM solution is the ability to segregate and classify data on the devices.

When enterprises allow BYOD, the segregating of personal and company data is a huge consideration. Having the ability to containerise company data allows employees to use their devices for both personal and business reasons. This protects both parties and offers flexibility.

With data segregation, the personal information on users’ devices, such as their contacts or pictures of their puppy dogs, can still be retained if they leave the company. Segregating the two types of data and sending out what is commonly known as a selective wipe ensures that only company data is removed.

It is like eating cake and ice cream at the same time. Who doesn’t like eating cake and ice cream?

This is a huge win for both the user and the business. Users can work with their choice of device and upon termination only company data is removed from it. The business potentially saves money by not having to issue a device and also gains security and ease of access to company data.

It is like eating cake and ice cream at the same time. Who doesn’t like eating cake and ice cream?

The classification of data not only helps protect the company from a security point of view but also from any type of e-discovery request that may be received.

We know that from a legal perspective BYOD could be a nightmare. Emails that are work-related can be containerised and cached on the devices but that solves only part of the problem.

In today's world securing company data is hugely important. Having it fall into the wrong hands can be devastating for companies.

It is fine and dandy that you can use your own device to get company email, and even to access some files from the corporate network. On a secured device everything is cached and segregated. But what happens when a user's personal device is called into a legal proceeding?

There are circumstances in which evidence – such as a photo – may be on that BYOD device.

For example, this employee uses his camera to take photos or video footage of a construction project and a "work event" occurs. That photo or video may now be requested by the judge for evidence.

This is where MDM is very important, not just for the IT department but the business it serves. The classification of data along with the location-tracking capabilities lets the IT department know where potential data may be and control it at the same time.

Controlling the functions of certain hardware features, such as the camera, with an MDM solution can prevent the user from taking a photo or video, minimising any risk that these features present.

Preventing access to certain mobile device features can be a limiting problem for mobile device users but it does protect the company and its data. Believe it or not, it protects the users as well by not allowing them to get into any potential conflicts.

Necessary force

Through location-tracking capabilities, IT departments can secure company data before it falls into the wrong hands. The ability to lock a lost or stolen device remotely can be a life saver.

Even better (if not for the user), IT departments can remotely nuke the device so that there is no data to get to, rendering the phone unusable.

Email is the most heavily used form of communication. People not only communicate via email but they send documents by email and some even use their mailboxes as a virtual filing cabinet.

Email was not designed for that purpose but people still use it that way, which makes it even more important to secure access to lost devices.

We have all heard reports of the lost corporate laptops that contained personal information for customers or employees; losing a device such as a smartphone is no different.

Can you imagine the possibility of highly confidential data being exposed by the loss of a mobile device with no MDM policy attached to it? This could be devastating for some companies with potentially a huge financial hit.

If on the other hand the CEO of a Fortune 500 company, for example, lost his or her mobile device containing emails with confidential attachments, the MDM feature could remotely locate the device, lock it immediately and then send a wipe signal so that the device and any data on it is wiped clean.

Remote wipes are also great when an employee decides to leave. With the rising trend of remote working, employees can be terminated while not in the office but they may still have company data on their devices. Once an employee is terminated MDM can send out a remote selective wipe that removes the company data from a device.

BYOD can present quite a challenge to IT departments. They have to give users the freedom to use whatever device they choose but also maintain strong security.

It is a tough job but not an impossible one. Given the right MDM solution the balance can be found.

It's all about the apps

MDM can also provide a method of deploying business applications to users’ devices.

Many of today’s MDM solutions feature ways of packaging software and deploying it to the devices, as well as allowing downloads in a similar way to an app store. Businesses can increase productivity by providing their users with recommended applications through a company app store.

Using MDM can help standardise what business apps users should install and what data can be stored on their devices. MDM also offers the ability to report on what employees are installing. This could be used for any sort of reporting metrics on key productive apps or even dangerous apps.

As more businesses use mobile apps as an everyday part of life, the development of custom applications to tie into internal applications stacks is bound to happen. In fact it happens right now as we speak.

Businesses are developing applications that can be accessed not just from standard desktops but also on mobile devices, with big increases in productivity.

These custom apps can provide a useful function to a mobile sales force, for example, such as creating and transmitting a purchase order to an internal application, which in turn would feed it into an ERP system.

A custom app like this, used on the go by a sales person, could represent millions of dollars' worth of purchase orders in the making, all delivered by a secure mobile device. Apps for work orders can also be used, with real-time submission and processing of work orders.

App deployment can also push out updates to the custom applications or hardware updates to the mobile devices. MDM can also prevent apps from updating or even installing.

The ability to push out updates falls in line with the standardisation of IT departments. It gives IT departments some sort of control that would otherwise be very difficult. Without control over mobile devices businesses risk losing money and valuable data.

MDM can provide the balance between usability and security that is becoming increasingly important as the consumerisation of IT unfolds. ®


Biting the hand that feeds IT © 1998–2017