MDM integration can help enable mobile access to enterprise applications and data, thereby improving workforce
For example, some mobile device management (MDM) tools can integrate with enterprise mail services such as Microsoft Exchange, Office 365, Lotus Notes or Gmail for Business. At the most basic level, this allows for limited spoken Exchange ActiveSync (EAS) commands on less-capable devices.
MDM tools can also use EAS to prevent enterprise mail access by suspended mobile users or devices that don’t comply with company policies. To impose this quarantine, the MDM product sits between the mail server and mobile devices, intercepting mailbox protocols and behaving as a proxy.
Furthermore, a growing number of MDM tools now offer mobile document management. Whether MDM simply pushes documents onto managed devices or stores them in encrypted containers, those documents must be obtained from somewhere. That’s where integration comes into play.
In small deployments, administrators can manually upload documents onto MDM servers. But whenever a document is updated, the upload must be repeated. Clearly, efficiencies can be gained by linking MDM software with an enterprise file store through a Windows Server Message Block file share, a SharePoint server or another cloud data service used to store affected documents. This integration also avoids data replication on the MDM server and associated management challenges.
MDM tools that offer mobile application management may also be integrated by configuring the MDM server to pull enterprise apps directly from application development platforms and change management systems. This integration may allow application updates to automatically propagate to the MDM product, where policies determine whether and how they should be delivered to mobile devices.
Incorporating MDM tools into management workflows
Once your MDM product has been installed inside or outside your corporate network and integrated with related infrastructure services, the final crucial step involves process integration -- that is, fitting MDM into your IT workflows.
For example, before mobile devices can be monitored or managed by an MDM product, they must first be enrolled. In the past, IT purchased and manually provisioned devices before issuing them. When an MDM product is deployed, this workflow is often revised as follows:
First, an administrator sends out email or text invitations containing enrollment URLs. Upon receipt, each user clicks on the URL and responds to simple MDM portal prompts to complete device enrollment. The MDM server then auto-provisions each newly enrolled device to enable secure access to enterprise services, applications and data.
This revised workflow brings many benefits. Offloading the device provisioning burden onto MDM reduces IT efforts, letting employers extend mobile access to larger workforces. Through self-help enrollment, MDM can be used to apply appropriate BYOD policies to each device. By automating what was once a largely manual workflow, mobile users can get their own devices up and running faster and make fewer help desk calls in the process.
But even this MDM-assisted workflow can be improved through tighter network and infrastructure integration. As Figure 1 illustrates, some corporate wireless LAN (WLAN) controllers can query MDM tools for mobile device enrollment status. When a previously enrolled device connects to the corporate WLAN, mobile access is permitted in the usual fashion.
When an unknown device attempts to connect, however, it may be denied access to the corporate WLAN but given access to a guest WLAN. Once connected to the guest WLAN, each new device may be automatically redirected to an MDM portal and given an option for self-help enrollment.
This tightly integrated approach further streamlines enrollment by removing IT from the workflow entirely and minimizing user dependencies. When all goes well, an authorized worker using his own device can complete enrollment within minutes of initial WLAN connection. IT staffers can then focus on the exception cases that fail to complete this automated workflow.
When deploying MDM, device enrollment is just one of many things to consider. For best results, conduct a rigorous analysis of the entire mobile device lifecycle, starting with enrollment and provisioning, moving to device monitoring and maintenance, and ending with wiping or disabling if a device is lost, stolen or retired.
During each phase of the device management lifecycle, re-examine IT workflows. These processes were often designed to handle corporate-issued devices or make limited exceptions for bring-your-own-device situations. Identify steps that can be automated, scaled or otherwise improved upon by integrating MDM software into those workflows.
Note that the integration process can be incremental. For example, you can start by using an MDM product for device enrollment, provisioning and disabling, but nothing more.
More information about MDM
Over time, you might add MDM-supported compliance and integrity checks, telecom expense management and so forth. As each advanced capability is added, assess how adding MDM will affect IT administrators and mobile users.
For the best results, involve all stakeholders in identifying impact, and use small pilots to refine your MDM-integrated workflows. A methodical approach to this critical phase -- and to all other aspects of integration -- can greatly increase the success of your MDM product deployment.