If your users bring their own devices to work, you need to figure out how to keep the work-related files on those devices secure once they enter the enterprise. This can be a challenge, and a dozens of vendors are now wrapping their products in the trendy category of mobile device managers, or MDMs. But trying to understand whether these products help secure the device, the user, the applications, or the various files stored on each device can be vexing, and the vendors don't make it easy for you to readily compare their features. This article will examine several of these products, review what should be in your next RFP if you are in the market to buy an MDM, and what is involved from both the IT manager and the end user perspectives when deploying these tools.
There is a long list of vendors who have MDMs or equivalents, including such less-well known names as GroupLogic's MobilEcho, Rover Retriever, ionGrid's Nexus, MokaFive, and Meraki Systems Manager. There are also products from major vendors, including IBM's Worklight, Good Technology's Enterprise manager, and HP's Mobile Workplace Services. Some of these only support iOS devices, while others will manage both iPads and various Android devices too. We have summarized a few of these offerings in the table at the end of this article. EnterpriseIOS has put together its own list, and one IT manager has compiled all sorts of useful information on this Spiceworks post looking at different MDM vendors.
Traditional methods don't work
If you haven't used MDMs or spent much time thinking about these products, your first thought might be: why bother? Don't my existing firewalls, intrusion prevention devices, and virtual private networks (VPNs) already handle the tablets and smartphones that are on my enterprise network? Sadly, they don't.
Even if you can find a client for your tablet or smartphone that will work with your corporate VPN provider, VPNs often expose too much of the network to too many applications, and don’t work well on mobile networks. This is because a typical VPN assumes that all apps on your tablet are well-behaved. Once you open up a VPN connection, any app can have full access to your corporate network -- and that includes rogue applications. IT managers do not want to worry about tablet malware.
How about using some kind of remote desktop app? We know one law firm that is doing this, making smartphone users come into their Citrix terminal server gateway for all non-corporate owned devices. These solutions require a solid broadband connection to work effectively. Once the user is offline or in an area with spotty Internet coverage, these remote applications are useless. However, if your company already uses these products, then this could be a good interim solution.
Another option is using a cloud-based storage service. This could be a potential security nightmare, since these services go around any existing security practices. Do you really want anyone who can gain access to your cloud storage account to be able to download your documents freely? Plus, you also have a file fidelity issue, and may not be able to view the document properly on a tablet, since cloud storage depends on client applications to render the content correctly. (Anyone who has had to view a PDF or unpack a ZIP file on their iPad knows this pain.)
App, user, file or device control?
When contemplating MDMs, you first need to decide what are trying to control: the apps on particular devices, the pairing of a user with his or her device, the device itself, or the collection of files on each device? Each MDM has a somewhat different perspective, and there are advantages and disadvantages to each. But no matter what kind of protection you choose, no MDM product will help if you have an insecure app that is sending personal data in clear text and saves it locally on the phone's SD card.
Of course, you could lock down everything so that no one can access any data on your network: that wouldn't be much use either. You need to temper the security with the convenience of having the mobile devices around.
One other complicating factor is that users don't necessarily distinguish between their personal and work activities on their phones or tablets. One solution for this is what MokaFive, Rover, and several others do: provide an encapsulated data container on the end user's device. This technique separates work from personal uses and ensures that corporate data stays secure and personal data stays private. And if a device is lost or stolen, IT can wipe the corporate data container remotely. The rest of the device and the various user files on it will remain unharmed.
For example, Meraki has an app-based approach, which is great when the time comes and you want to push out particular apps to all of your devices. But that may not be enough control for you; other tools can get very granular, down to the file level.