Mobile device management (MDM) is currently one of the hottest topics in the cybersecurity space. A mobile device management (or MDM) profile is an administrative configuration that allows for the centralized management of remote devices such as mobile phones, tablets, and laptops.
The challenge MDM profiles face is to provide support for a myriad of operating systems and device platforms, while still providing flexibility and productivity for the workforce. Additionally, MDM profiles have to account for challenges presented by the post-pandemic increase in remote work offerings.
MDM profiles can perform a variety of tasks: installing required software or security agents, setting operating system security configurations, managing certificates, and configuring application settings. They can also restrict user and application access to local or network computing resources.
Why Is MDM Important?
An MDM solution provides a way for a company to ensure devices with access to company data and resources are secure and meet any necessary regulatory or compliance standards.
A good MDM solution will equip security tools to block malicious software’s entry into the organization. It will also provide a means to lock and/or remotely wipe lost or stolen devices to ensure no company data falls into the wrong hands.
Along with remote work, bring your own device (BYOD) programs and policies have become more popular. Since 2018, nearly 80% of all U.S. companies have used BYOD.
Many companies require employees to use company-owned laptops for work, but those same companies often expect or allow employees to use their own mobile devices — such as phones or tablets. However, these BYOD devices often have nearly the same level of access to company data and resources as laptops or other traditional IT devices.
Despite this, only 32% of companies require registration and installation of MDM software on personal devices.
Alarmingly, companies tend not to treat mobile devices with the same amount of risk as laptops and desktops. But over time, this practice will lead to more breaches and lawsuits.
What Are Common Challenges with MDM?
There’s a common misconception amongst both the user community and many IT leaders about the purpose of MDM. Mainly, MDM is a configuration management tool that makes sure secure settings are in place.
It’s not a spyware or forensic tool that can monitor user activity on devices. And it’s not a one-size-fits-all security or compliance tool. No MDM solution by itself can provide all the necessary security or compliance capabilities required by large complex organizations.
Here are some of the challenges an organization could face with implementing or managing an MDM profile.
High Complexity
Because of the wide variety of devices that an MDM solution may need to support, complexity can be very high. Often this means there is not enough parity in capability across different device platforms. Therefore, multiple MDM tools may be required, because the MDM selected simply doesn’t have support for a particular type of device or platform.
This can create a patchwork of holes for attackers if not closely managed. This high complexity also requires a more highly skilled workforce, more management time, and increased effort to support.
Users Requesting Special Treatment
VIPs or company executives are often prime users of mobile devices. Unfortunately, they often demand exceptions for MDM enrollment claiming it’s too intrusive or restrictive. This leaves some of the highest-risk users vulnerable to whaling attacks.
That attitude then creates a similar view for the regular end users, leading to an overall negative perception of MDM solutions as clunky, bothersome, and unnecessary.
Labor-Intensive Enrollment Process
Many MDMs don’t integrate well into the rest of a company’s IT solutions. This can be due to technical limitations, or due to a lack of planning during tool selection and implementation. Regardless, it means the data may not roll up into that all important single pane of glass that is the ever elusive goal of IT Security and Compliance organizations.
Enrollment in MDM solutions is often complicated and labor intensive. And, given the inherently dispersed nature of these mobile devices, it can make it prohibitive to fully rollout an MDM.
A poorly planned MDM rollout can often result in legal problems for a company, as a result of violations of privacy laws or other employment laws. Given the patchwork complexity of these laws across the US and internationally, this can be an especially daunting challenge for global companies.
Extra BYOD Challenges
BYOD adds complexity to all of the above challenges and brings some of its own difficulties to the table too. For example, companies using BYOD can’t fully dictate which devices are approved for employee use.
A company may have a policy that prohibits connectivity to unsecure WiFi hotspots, but on an employee-owned device, use of these for connectivity might be a common practice. Unfortunately, this means these devices are even more likely to expose the company to undue risk.
Dealing with lost or stolen BYOD devices pose some of the biggest challenges. Think about this scenario: an executive misplaces their phone and it’s assumed to be lost or stolen. Security policy dictates it is best to initiate a remote wipe to protect the company.
Now suppose the executive finds the missing phone the next day. By then, it’s already been rendered useless for both professional and personal use. What kind of fallout might occur from wiping an executive’s personal phone, even though from a security perspective, it was the right thing to do to protect the company?
How Can Organizations Deal with MDM Challenges?
First and foremost, an MDM implementation needs to be planned. It is not a turnkey technology, no matter what any vendor may try to sell you during the sales hype cycle.
Like any IT project, it requires diligent planning and thoughtful effort around people, process, and technology in order to be successful. This includes gathering requirements and setting expectations for the solution at the start of the vendor selection process and actually using these criteria to evaluate a shortlist of products.
Along the same lines, include legal counsel up front as part of the MDM solution planning and design. This will help to identify potential pitfalls early in the process and allow plenty of time to plan ways around them.
Use compliance and regulatory standards to develop formal company policies around the appropriate use of mobile devices and the necessary controls to secure them. Because MDM can often be intrusive, the user experience is often poor. This can lead to many exceptions and even cause the solution to fall into disuse.
A better approach is to provide thoughtful design of the expected user experience upfront. Tackle the challenges early, be they technical or user awareness and behavioral items.
No MDM tool will be able to manage every possible mobile application, so this is a problem that any MDM solution must be prepared to address. There may be lag for supporting new and popular applications. Think about what apps will be managed, as well as how to handle apps that cannot be managed.
Define and communicate the process for lost or stolen devices. Users need to be aware of this process, what data may be lost, and how to go about getting a new device as well as getting back up to full working capability with a replacement.
When BYOD is involved, users need to know if you plan to wipe their phone if it gets lost, or if only a subset (i.e. a secure sandbox) will need to be reset. This may play a big role in whether your organization takes advantage of BYOD or not.
Where Is MDM Headed in The Future?
Business Wire’s report suggests that a majority of companies are struggling with MDM policies and tools, and that most of them plan to make at least some changes to their policies in the coming months.
Mobile-initiated data breaches are also on the rise. As a result, people can expect more stringent configuration and usage policies and increased focus on mobile security. Since work-from-home isn’t going away anytime in the near future, device management will have to get solved — quickly.
The overwhelming majority of employees would prefer to have separate work and personal devices — but many still use their cell phones for work. It’s possible that using secure sandboxing, where the MDM installs its own container for company data and apps, may catch on.
Secure sandboxing allows administrators to remotely wipe and control company data, while leaving the rest of the device alone for the user. Unfortunately, this solution is complicated enough that most users don’t understand it, so they’re still concerned about using a company-provided MDM on a personal device.
With concerns over privacy laws on the rise, companies are going to have to figure out how MDM and BYOD can coexist, or they will risk fines and penalties as users complain to regulators.
How Does Black Kilt Help with MDM Solutions?
Black Kilt has experienced architects available to help you plan your MDM implementation. Or, if you already have an MDM profile that’s unsatisfactory, we can help you redesign it from the ground up. We have the depth and expertise to serve as your guide on the MDM journey. We can also help you choose vendor solutions and partners that will make your project a success. Finally, we’re also able to provide skilled technicians to fill gaps in your MDM staffing plan and train your own employees to be more effective.