Mobile endpoint security: What enterprise infosec pros must know now
A comprehensive collection of articles, videos and more, hand-picked by our editors
Mobile device management enables business use of employee-owned smartphones and tablets, but managing devices is
just the tip of the iceberg. To truly take advantage of enterprise mobility, add a MAM tool.
Products that deliver a wide range of capabilities can blur the boundaries between device and application management. Mobile device management (MDM) is for enrolling devices, inventorying assets, configuring settings, tracking use and ensuring policy compliance. Mobile application management (MAM) is for presenting application catalogs, distributing and updating software over the air, inventorying installed applications, configuring application settings and reporting on application use.
Some products include both MDM and MAM, such as those from AirWatch, Fiberlink and MobileIron. Other vendors, such as those from Apperian and App47, deliver standalone MAM tools. And some vendors sell standalone products and MDM bundles, which complicates the landscape even further. But don't let these "you say po-TAY-to; I say po-TAH-to" arguments distract you from the fundamental difference: MDM lets IT administer an entire device, while MAM focuses on applications.
Why add MAM tools?
Employers that embrace bring your own device (BYOD) by enrolling and configuring devices have addressed fundamental concerns. By taking these basic steps, employers may safely permit employee devices to access corporate email or Web portals. But employees want to do more work with their smartphones and tablets, and employers should want that too. These powerful, well-connected computers have the CPU, storage and displays to run real business applications. Tapping this potential is where mobile application management comes in.
For starters, MAM tools can help employers manage business use of public applications downloaded from the Apple App Store and Google Play. They can also present a list of mandatory or recommended apps to each user, inventory the apps installed on a device and identifying those that are missing. (For example, any salesperson carrying an iPhone might need the iOS version of the Salesforce Mobile app.) With iOS apps, employers may also purchase license keys from Apple's Volume Purchase Program and distribute those keys via MAM.
Over time, MAM tools can alert users to new apps or to new versions of existing apps. Although they can't remove user-installed public apps, MAM tools can work with MDM products to respond to noncompliance. Together, MAM and MDM can change a device's settings to prevent corporate email or network access.
These basic MAM capabilities can help put users' devices to better use. Employers may insist that all devices have mandatory mobile security measures, such as virtual private network clients, anti-malware, secure browsers, virtual desktop clients and so on. Using MAM to automate app installation and updates can reduce the costs associated with letting the help desk troubleshoot incorrectly configured or poorly written public apps. And taking advantage of Apple's Volume Purchase Program can avoid app purchase reimbursement paperwork and expenses.
Using MAM to roll out enterprise apps
No doubt there are many employers that will stop with public apps on users' personal devices, at least for now. But mobile application management can also play an instrumental role in developing and deploying in-house enterprise apps.
MAM tools can push Android .apk and iOS .ipa files to smartphones and tablets. For Android devices, packages may be associated with public or private apps and anyone can develop and sign them. For iOS devices, apps are limited to enterprise apps, developed by/for the employer and signed using an Apple-issued certificate.
MAM may also push credential, profile and data files required for installed apps to operate properly. For example, every iOS enterprise app is paired with a provisioning profile that must be present for the app to execute.
Whenever you release an update to an enterprise app, MAM tools can inventory all devices to identify which ones are running old software and then initiate silent over-the-air updates to those devices. Some products support policy-driven updates, such as updating only when a device is connected to Wi-Fi.
MAM technology may also be useful when it comes to monitoring enterprise apps because the software can collect usage, performance and error metrics and use them to support analytics. This kind of data can help employers refine enterprise apps to increase productivity, reduce support costs and target future app development efforts.
Finally, MAM can help disable enterprise apps on noncompliant devices, former employees' devices, devices that are being retired, and lost or stolen devices. For example, when a previously enrolled iOS device is removed from management control, all enterprise apps installed on that iPhone or iPad are automatically disabled.
The future of MAM tools
Studies show that organizations are really just getting started with developing their own private apps. Expect MAM tools to increase in importance as enterprise app use grows. Some products are more tightly integrated with enterprise app development, providing app storage, version control and test support, for example. And while MAM tools often support multiple mobile platforms, many differences exist.
Ultimately, some employers may prefer to manage a few applications on employees' devices, but not the entire device. If your mobility initiative hasn't yet touched on MAM, it's probably time to start considering how it fits into your plan.
Managing mobile application security in the BYOD era
How to choose an MDM system