Mobile endpoint security: What enterprise infosec pros must know now
A comprehensive collection of articles, videos and more, hand-picked by our editors
MDM tools can centrally automate many manual IT tasks, such as device enrollment. They also deliver IT requests
over the air to company-issued or employee-owned devices and can help IT administrators get a grip on the plethora of smartphones and tablets that employees have introduced into enterprises.
Mobile device management (MDM) products are rapidly evolving to keep up with the stream of new devices emerging in the marketplace, updated mobile operating systems and increasingly complex business needs. With dozens of diverse products to choose from, finding the best MDM software to monitor and control your mobile workforce can be daunting.
Contemporary MDM tools have many capabilities and desirable features, but IT has to consider MDM software's limitations and look at how these tools can help meet workforce requirements.
Mobile platform support
Heterogeneous mobile device management products create a single unified console through which IT can administer different mobile devices and operating systems. But these products vary in breadth and depth.
It is now common for MDM tools to support smartphones and tablets running Apple iOS 4 or later, Google Android 2.3 or later, and Windows Phone 6 and 7. Support for BlackBerry OS and Windows Phone 8/RT is less common but growing, while Symbian and WebOS support is fading along with declining popularity.
Start any MDM product evaluation by narrowing your candidate list to those capable of supporting mobile devices and operating systems of strategic importance to your workforce. Accept that MDM products may not support some older devices, while some new consumer devices may not yet be accommodated by MDM products.
Seek acceptable but not 100% device coverage, focusing instead on the depth of capabilities available for your highest-priority devices. Ask about legacy management for older devices; many MDM products offer limited control over nearly anything using Exchange ActiveSync. Look at each product's track record for supporting newly released devices and OS versions; past performance can be an indicator of future expandability and anticipated time to market.
Basic MDM capabilities
Once you've compiled a list of products that could manage most of your organization's roster of devices, drill down into the capabilities offered for each mobile OS. At first glance, MDM tools tend to look alike.
For example, every product on your list should offer device policy management. Any product lacking this basic MDM capability should be disqualified. This might seem obvious, but many products that excel at one thing, such as mobile expense management or secure enterprise email, mistakenly make it onto MDM product lists.
In fact, a lack of industry standardization is a fundamental challenge. MDM vendors use varied labels to describe similar capabilities and group capabilities, inhibiting apples-to-apples comparison. For the best results, develop an evaluation guide of MDM features that reflect your workforce requirements, using it to inventory what each MDM product offers for each required mobile OS.
Table 1 outlines basic capabilities that any MDM product should offer, along with common IT tasks and related features to look for.
Basic mobile device management features
Note that supported tasks and features differ among products. This is where you will begin to appreciate each MDM product's fit for your workforce. For example, all MDM tools support device enrollment. Historically, IT enrolled company-issued devices, individually or in bulk. Today, it's common to offer a self-enrollment portal that bring your own device (BYOD) users can visit to register their devices and (if approved) get them automatically provisioned with device policies.
Or you may prefer an enrollment portal that integrates with Active Directory so that workers can log in with their usernames and passwords instead of requiring users to type in yet another new password. Rather than require IT to define the same management policies repeatedly for every user in a group, provision devices with group-based policies.
It's also important to evaluate your required features for each mobile OS. For example, all MDM products can configure PIN and password policies to deter unauthorized use of lost or stolen devices. The mobile OS determines PIN or password length, strength, complexity and reuse; MDM products cannot mask this difference in device capabilities.
What MDM tools can do, however, is provide uniform tools to define and apply the same logical policy to devices running different OSes. They can also warn you when certain rules aren't supported on a given OS or version.
More on MDM tools
Why MDM software is important and what it should include
MDM software evolves,advanced features emerge
Guide to MDM software
Some MDM products can also automatically check devices and quarantine or de-enroll those that don't comply with policies.
Carefully consider how criteria are set and enforced and what degree of control and automation an MDM product delivers. If a worker installs a blacklisted application, an MDM product might do anything from remotely wiping the device to simply notifying a user that the application is banned and should be removed.
The "right" action could depend on the type of device and user. Look for MDM tools that give IT a range of useful administrative actions, along with the power to apply them intelligently.