July 23, 2012, 8:00 AM — If your users bring their own devices to work, you need to figure out how to keep the work-related files on those devices secure once they enter the enterprise. This can be a challenge, and a dozens of vendors are now wrapping their products in the trendy category of mobile device managers, or MDMs. But trying to understand whether these products help secure the device, the user, the applications, or the various files stored on each device can be vexing, and the vendors don't make it easy for you to readily compare their features. This article will examine several of these products, review what should be in your next RFP if you are in the market to buy an MDM, and what is involved from both the IT manager and the end user perspectives when deploying these tools.
There is a long list of vendors who have MDMs or equivalents, including such less-well known names as GroupLogic's MobilEcho, Rover Retriever, ionGrid's Nexus, MokaFive, and Meraki Systems Manager. There are also products from major vendors, including IBM's Worklight, Good Technology's Enterprise manager, and HP's Mobile Workplace Services. Some of these only support iOS devices, while others will manage both iPads and various Android devices too. We have summarized a few of these offerings in the table at the end of this article. EnterpriseIOS has put together its own list, and one IT manager has compiled all sorts of useful information on this Spiceworks post looking at different MDM vendors.
Traditional methods don't work
If you haven't used MDMs or spent much time thinking about these products, your first thought might be: why bother? Don't my existing firewalls, intrusion prevention devices, and virtual private networks (VPNs) already handle the tablets and smartphones that are on my enterprise network? Sadly, they don't.
Even if you can find a client for your tablet or smartphone that will work with your corporate VPN provider, VPNs often expose too much of the network to too many applications, and don’t work well on mobile networks. This is because a typical VPN assumes that all apps on your tablet are well-behaved. Once you open up a VPN connection, any app can have full access to your corporate network -- and that includes rogue applications. IT managers do not want to worry about tablet malware.
How about using some kind of remote desktop app? We know one law firm that is doing this, making smartphone users come into their Citrix terminal server gateway for all non-corporate owned devices. These solutions require a solid broadband connection to work effectively. Once the user is offline or in an area with spotty Internet coverage, these remote applications are useless. However, if your company already uses these products, then this could be a good interim solution.
Another option is using a cloud-based storage service. This could be a potential security nightmare, since these services go around any existing security practices. Do you really want anyone who can gain access to your cloud storage account to be able to download your documents freely? Plus, you also have a file fidelity issue, and may not be able to view the document properly on a tablet, since cloud storage depends on client applications to render the content correctly. (Anyone who has had to view a PDF or unpack a ZIP file on their iPad knows this pain.)
App, user, file or device control?
When contemplating MDMs, you first need to decide what are trying to control: the apps on particular devices, the pairing of a user with his or her device, the device itself, or the collection of files on each device? Each MDM has a somewhat different perspective, and there are advantages and disadvantages to each. But no matter what kind of protection you choose, no MDM product will help if you have an insecure app that is sending personal data in clear text and saves it locally on the phone's SD card.
Of course, you could lock down everything so that no one can access any data on your network: that wouldn't be much use either. You need to temper the security with the convenience of having the mobile devices around.
One other complicating factor is that users don't necessarily distinguish between their personal and work activities on their phones or tablets. One solution for this is what MokaFive, Rover, and several others do: provide an encapsulated data container on the end user's device. This technique separates work from personal uses and ensures that corporate data stays secure and personal data stays private. And if a device is lost or stolen, IT can wipe the corporate data container remotely. The rest of the device and the various user files on it will remain unharmed.
For example, Meraki has an app-based approach, which is great when the time comes and you want to push out particular apps to all of your devices. But that may not be enough control for you; other tools can get very granular, down to the file level.
What should an MDM actually do?
When it is time to create an RFP or to evaluate these technologies, keep these questions in mind. Consider the specific security trade-offs that any MDM solution will require.
Is all traffic encrypted between mobile devices and your corporate network? Some apps use SSL connections, and some provide their own encryption. Some MDMs don't encrypt any data that is sent over the Internet at all. Most Android devices don't have device-level encryption, for example.
Can you map and manage a device to a particular user in your directory services so that your IT department doesn't need any additional workflow, setup, or policies? Solutions that are tightly coupled with Active Directory or LDAP mean that you can save deployment time and use your existing security policy frameworks. You also might or might not want to lock a particular user to a particular device, depending on your circumstances.
Speaking of policies, can you set device- and application-level policies that are centrally managed? Some MDMs can only set policies for a particular device, or for particular users. Do you really need to manage every device in your network? Maybe not: while you certainly want control over all of your company-owned devices, you may want more flexibility for user-owned devices.
Are files that are viewed on the mobile device actually stored on the device itself? With some products, once a remote session ends, all traces of the document are removed from the tablet's memory and storage. With others, there can be some residue, or the file itself could be accessed by an app that you have already downloaded to your device.
Does a document remain under the control of the app, or can you prevent a document from being exported outside the app? The stricter the control you have, the more secure your files will be.
Can you remotely wipe all traces of the document or history from the device, or disable it entirely if lost or stolen? With some apps, a panic call into IT can terminate any subsequent access of a device.
Do you need a separate hardware-based management appliance for your MDM? Some products make use of cloud-based management software, while others require specific hardware to be placed on your network. For example, Meraki used to require that you use their hardware platform, but now offers a completely cloud-based service (and it is free, too). The Aerohive/JAMF Software solution employs Aerohive wireless access points to manage mobile devices. ionGrid's Nexus has a Java-based server that you need to run on a Windows or Linux machine on your local network.
How does the MDM work when you need to share documents with external users outside your corporate domain? Some set up a secure tunnel to your file shares, others have publish-and-subscribe models to make these documents easily available on a mobile device. Some also support a variety of intranet-type servers such as SharePoint. An example of the latter is Rover's Retriever, which has a set of programming interfaces for a variety of mobile devices so that you can access corporate data securely with a native mobile app. It comes in two pieces: a server-side Gateway that installs on a Windows computer ,and client software that runs on iOS and Android devices. The Gateway comes with a variety of connectors to SQL Server, Excel spreadsheets, and SharePoint services. The screenshot to the right shows what the client piece looks like on iOS.
What is this going to cost?
In addition to the wide range of functionality we've described, MDM products have a wide cost range. Meraki's service is free, and IBM's Worklight requires a five-figure server investment. In between are the others, with some offering perpetual licenses per device while others charge annual subscriptions. There are also volume discounts and 30-day free trials available too.
As you can see, the MDM world is still pretty wild and wooly. Hopefully, this has given you a good starting point to start evaluating some of these solutions for your particular circumstances.
Selected MDM technology vendors
|Vendor||Product||Support for non-iOS devices?||Typical pricing|
|Aerohive/JAMF software||Caper Suite||Android support coming late summer 2012||$90 per seat, plus maintenance contract; JAMF is offering a 100% discount for educational uses for a limited time, but there will be an annual maintenance fee|
|Fiberlink||Maas360||Yes||$5 per seat per month|
|Good Technology||Enterprise||Yes||$1,500 server, plus $160 per seat, plus maintenance|
|GroupLogic||MobilEcho||No||$7,000 server license|
|IBM||Worklight||Yes||$35,000 server, plus $150 per seat per year|
|ionGrid||Nexus||Yes||$15 per seat per month|
|Meraki||System Manager||Android support coming late summer 2012||Free|
|MobileIron||Virtual Smartphone||Yes||$75 per seat|
|MokaFive||MokaFive for iOS||No||$150 per seat per year|
|Rover Apps||Retriever||Yes||$45 per seat per year|