Sales of smartphones and tablet devices have exploded over the last five years or so. Increasingly these mobile devices are being used in the workplace. That's great news for businesses because these devices can make employees more productive, they cost less than laptops, and thanks to Bring Your Own Device (BYOD) programs the purchase cost can be borne by the employee.

But mobile device usage introduces security risks. The devices can be used to access corporate networks and store sensitive corporate data, putting data at risk when the user walks out of the corporate front door with the device in their pocket. What if the device is left in the back of a cab, or the user moves to a new job while using the same device?

Most mobile devices can be configured so a password is required to unlock them, but popular platforms such as Android and Apple's iOS were not built with enterprise security in mind. What businesses need for security purposes - and what regulatory compliance may require - is a way to ensure that all devices are configured that way, and in a way that users cannot override. Security goes way beyond passwords. There are multiple settings that need to be configured - and stay configured - on every mobile device to provide a baseline security level.

A mobile device management (MDM) system provides a solution to this problem. Once a mobile device is enrolled on the system, the device can be configured automatically with a standard set of security settings. It can then either prevent the user from changing these settings, or remotely wipe the phone and remove access to corporate networks if it detects that the settings are changed by the user.

Mobile Device Management Features

A mobile device management system is usually limited to configuring settings that any given mobile operating system makes available, and for that reason most MDMs provide broadly the same set of security features on each mobile device platform. These may vary on a device by device basis, but usually include:

  • Enforcement of device PIN/password usage. Ensuring that the device can only be accessed after entering a (usually) four-digit PIN or, preferably, a password or phrase that is not easily guessable. These can be reset from the MDM if forgotten.
  • Remote device lock/wipe. Giving administrators the ability to lock or delete the data - either all data or just corporate data - from a device that is reported lost or stolen. Many mobile device management systems also include geolocation to help employees find lost devices and reduce costs related to lost devices.
  • Data encryption. Activating on-device data encryption on platforms such as iOS that have it built in, or adding this functionality to platforms such as Android that might not.
  • Jailbreak/root detection. Jailbreaking or rooting a mobile device frees it from many OS-level security restrictions, and may also enable users to bypass security controls imposed by an MDM. For that reason, it is vital that an MDM can detect when a device has been jailbroken or rooted.

In addition to configuring these sorts of security settings, most mobile device management platforms also allow administrators to see the internal state of any mobile device remotely, including the configuration settings and installed applications. Operating system and application updates can be pushed to devices to minimize security or reliability issues, and policies based on Active Directory (or other directory) groups can often  be imposed, limiting devices belonging to users in different groups so they can only access to appropriate corporate resources.

Most MDMs also enable a huge variety of further group policies and restrictions to be imposed on mobile devices. These may include preventing the device's camera from being used (or preventing it from being used in certain geographic locations such as the corporate offices), prohibiting the installation of applications which appear on a blacklist, blocking in-app purchases, or preventing any apps from being installed unless they are downloaded from an enterprise app store controlled by the MDM.

How MDM Systems Work

Most MDMs work in a broadly similar way, with an agent or profile installed on the device providing the MDM with a "way in" so that it can assume control remotely from a management console. Some systems provide a single sandbox into which all corporate data resides, manipulated by dedicated apps (forcing the user to work with a special email app, for example, instead of the device's native email app,) while others rely on security features provided by the OS to protect standard applications.

A newer technology is beginning to emerge that uses  virtualization to run two versions of the operating system on one device -- one for the user's personal use, and one for corporate use, controlled by the MDM system.

MDM Implementation and Enrollment

Most mobile device management systems are installed on-premise as a software solution, and less commonly as an appliance-based solution. Since purchasing and installing an MDM system is not practical for smaller companies, a number of vendors offer their MDM system as a cloud-based service. These are usually priced on a "per device under management per month" basis.

Because cloud solutions tend to be highly scalable, they are also attractive to organizations with very large numbers of mobile device users.

Device enrollment can be carried out in a number of ways, but systems that allow employee self-enrollment (often by responding to an enrolment email) are becoming more common, and are practically essential for large organizations which may have hundreds or thousands of users.

Determining MDM's ROI

Unfortunately making a financial case for a mobile device management system is not exactly a cut-and-dried proposition, as it's difficult to quantify benefits that result from protecting mobile data. Download eSecurity Planet's MDM ROI calculator to highlight some of the key savings that can result from MDM, including costs associated with replacing lost or broken mobile devices.

Mobile Device Management's Future

Mobile device management is only just out of its infancy, and many vendors are developing their products by adding additional features that go beyond basic security and compliance.

These include integration with other management systems such as Microsoft System Center, integration with security policy engines from corporate security products, and additional features such as data loss prevention or telephone expense management.

There is also a high level of industry consolidation being carried out. In the last couple of years, major vendors have been acquired, including AirWatch (by VMware), BoxTone (by Good Technologies) and Zenprise (by Citrix).

Paul Rubens has been covering enterprise technology for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.