Mobile device management
||This article is written like a personal reflection or opinion essay that states the Wikipedia editor's particular feelings about a topic, rather than the opinions of experts. (December 2013)|
Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices.
MDM is a way to ensure employees stay productive and do not breach corporate policies. Many organizations control activities of their employees using MDM products/services. MDM primarily deals with corporate data segregation, securing emails, securing corporate documents on device, enforcing corporate policies, integrating and managing mobile devices including laptops and handhelds of various categories. MDM implementations may be either on-premises or cloud-based.
MDM functionality can include over-the-air distribution of applications, data and configuration settings for all types of mobile devices, including mobile phones, smartphones, tablet computers, ruggedized mobile computers, mobile printers, mobile POS devices, etc. Most recently laptops and desktops have been added to the list of systems supported as Mobile Device Management becomes more about basic device management and less about the mobile platform itself. MDM tools are leveraged for both company-owned and employee-owned (BYOD) devices across the enterprise or mobile devices owned by consumers. Consumer Demand for BYOD is now requiring a greater effort for MDM and increased security for both the devices and the enterprise they connect to, especially since employers and employees have different expectations on the type of restrictions that should be applied to mobile devices.
By controlling and protecting the data and configuration settings for all mobile devices in the network, MDM can reduce support costs and business risks. The intent of MDM is to optimize the functionality and security of a mobile communications network while minimizing cost and downtime.
With mobile devices becoming ubiquitous and applications flooding the market, mobile monitoring is growing in importance. Numerous vendors help mobile device manufacturers, content portals and developers, test and monitor the delivery of their mobile content, applications and services. This testing of content is done real time by simulating the action of thousands of customers and detecting and correcting bugs in the applications.
Typically solutions include a server component, which sends out the management commands to the mobile devices, and a client component, which runs on the handset and receives and implements the management commands. In some cases, a single vendor may provide both the client and the server, in others client and server will come from different sources.
The management of mobile devices has evolved over time. At first it was necessary to either connect to the handset or install a SIM in order to make changes and updates; scalability was a problem.
One of the next steps was to allow a client-initiated update, similar to when a user requests a Windows Update.
Central remote management, using commands sent over the air, is the next step. An administrator at the mobile operator, an enterprise IT data center or a handset OEM can use an administrative console to update or configure any one handset, group or groups of handsets. This provides scalability benefits particularly useful when the fleet of managed devices is large in size.
Device management software platforms ensure that end-users benefit from plug and play data services for whatever device they are using. Such a platform can automatically detect devices in the network, sending them settings for immediate and continued usability. The process is fully automated, keeps a history of used devices and sends settings only to subscriber devices which were not previously set, sometimes at speeds reaching 50 over-the-air settings update files per second. Device management systems can deliver this function by filtering IMEI/IMSI pairs.
Device management specifications
- The Open Mobile Alliance (OMA) specified a platform-independent device management protocol called OMA Device Management. The specification meets the common definitions of an open standard, meaning the specification is freely available and implementable. It is supported by several mobile devices, such as PDAs and mobile phones.
- Smart message is text SMS-based provisioning protocol (ringtones, calendar entries but service settings also supported like: ftp, telnet, SMSC number, email settings, etc...)
- OMA Client Provisioning is a binary SMS-based service settings provisioning protocol.
- Nokia-Ericsson OTA is binary SMS-based service settings provisioning protocol, designed mainly for older Nokia and Ericsson mobile phones.
Over-the-air programming (OTA) capabilities are considered a main component of mobile network operator and enterprise-grade mobile device management software. These include the ability to remotely configure a single mobile device, an entire fleet of mobile devices or any IT-defined set of mobile devices; send software and OS updates; remotely lock and wipe a device, which protects the data stored on the device when it is lost or stolen; and remote troubleshooting. OTA commands are sent as a binary SMS message. Binary SMS is a message including binary data.
Mobile device management software enables corporate IT departments to manage the many mobile devices used across the enterprise; consequently, over-the-air capabilities are in high demand. Enterprises using OTA SMS as part of their MDM infrastructure demand high quality in the sending of OTA messages, which imposes on SMS gateway providers a requirement to offer a high level of quality and reliability.
Use in the enterprise
As the bring your own device (BYOD) approach becomes increasingly popular across mobile service providers, MDM lets corporations provide employees with access to the internal networks using a device of their choice, whilst these devices are managed remotely with minimal disruption to employees' schedules.
MDM for Mobile Security
All MDM products are built with an idea of Containerization. The MDM Container is secured using latest crypto techniques (AES-256 or more preferred). All the corporate data like email, documents, enterprise application are encrypted and processed inside the container. This ensures that corporate data is separated from user’s personal data on the device. Additionally, encryption for entire device and/or SD Card can also be enforced depending on MDM product capability.
Secure Email: MDM products allow organization to integrate their existing email setup to be easily integrated with MDM environment. Almost all MDM products support easy integration with Exchange Server (2003/2007/2010), Office365, Lotus Notes, Blackberry Enterprise Server (BES) and others. This provided flexibility of configuring Email-over-air. Secure Docs: It is frequently seen that, employees copy attachments downloaded from corporate email to their personal devices and then misuse it. MDM can easily restrict/disable clipboard usage in/out of Secure Container; forwarding attachments to external domains can be restricted, downloading/saving attachments on SD Card. This ensures corporate data is not left insecure.
Secure Browser: Using secure browser can avoid many potential security risks. Every MDM solution comes with built-in custom browser. Administrator can disable native browsers to force user to use Secure Browser, which is also inside the MDM container. URL filtering can be enforced to add additional productivity measure.
Secure App Catalog: Organization can distribute, manage, and upgrade applications on employee’s device using App Catalogue. It allows applications to be pushed on user device directly from the App Store or push an enterprise developed private application through the App Catalogue. This provides an option for the organization to deploy devices in Kiosk Mode or Lock-Down Mode.
Additional MDM Features
There are plenty of other features depending on which MDM product is chosen. Below is the list for it:
• Policy Enforcing: There are multiple types of policies which can be enforced on MDM users.
1. Persona Policy: According to corporate environment, highly customizable
2. Device Platform specific: policies for advanced management of Android, IOS, Windows and Blackberry devices.
3. Compliance Policies/Rules
• VPN configuration • Application Catalogue
• Pre-defined Wi-Fi and Hotspot settings
• Jail-break/Root detection
• Remote Wipe of corporate data
• Remote Wipe of entire device
• Device remote locking
• Remote messaging/buzz
• Disabling native apps on device
SaaS versus On-Premises solutions
||This section contains content that is written like an advertisement. (September 2014)|
Present day MDM solutions offer both Software as a Service (SaaS) and on-premises models. In the rapidly evolving industry such as mobile, SaaS (cloud-based) systems are quicker to set up, offer easier updates with lower capital costs compared to on-premises solutions which require costly hardware, need regular software maintenance, and incur higher capital costs.
For security in Cloud computing, the US Government has compliance audits such as Federal Information Security Management Act of 2002 (FISMA) which cloud providers can go through to meet security standards.
The primary policy approach taken by Federal agencies to build relationships with cloud service providers is Federal Risk and Authorization Management Program (FedRAMP) accreditation and certification, designed in part to protect FISMA Low and Moderate systems.
More on MDM, MAM and MEM
Mobile Device Management (MDM) is like adding an extra layer of security and ensuring a way to monitor device related activities. MDM provides device platform specific features like device encryption, platform specific policies, SD Card encryption. Geo-location tracking, connectivity profiles (VPN, Wi-Fi, Bluetooth) and plenty other features are part of MDM Suite.
Mobile Application Management (MAM) is done by application wrapping i.e. injection arbitrary encryption code in the mobile application source. This is necessary for commercial applications or applications being developed in-house for Enterprise use. Additionally, white-listing/black-listing of application can be done. Features like Application Catalogue allow admin to push applications remotely to the devices for instant install, push remote updates and also remote removal of apps.
Mobile Email Management (MEM) ensures your corporate emails are containerized using advanced proprietary/free encryption algorithms. MEM ensures all emails remain inside the secure container, so that attackers get encrypted data even if they try to compromise the device data using USB cable on a system. Heavy restrictions on clipboard, attachments and trusted domains can be enforced. Nothing can move in-out of the secure container as clipboard is disabled. Even the attachments are downloaded and saved inside the secure container. To view the attachments there is secure document reader as well as secure document editor available in MDM solutions. Adding trusted domains will ensure that data from corporate email is not leaked to malicious/suspicious domains.
- The SyncML Initiative
- OMA Device Management
- Open Mobile Alliance
- Device Management Forum
- Over-the-air programming
- Mobile application management
- Mobile security
- Enterprise mobility management
- BlackBerry Enterprise Server
- What is mobile device management? - a definition from Whatis.com
- A comprehensive article on mobile device management
- Glenn Ford. "Cybersecurity HQ". Retrieved 19 December 2014.
- Ellis, Lisa, Jeffrey Saret, and Peter Weed (2012). "BYOD: From company-issued to employee-owned devices" (PDF). Telecom, Media & High Tech Extranet: No. 20 Recall. Retrieved 15 May 2014.
- "BYOD Requires Mobile Device Management". Information Week.
- "A Playbook for Fighting Apple and Google". Reuters. 15 March 2011.
- "What Is OMA DM?" (PDF).
- "Binary SMS". Retrieved 19 December 2014.
- "FedRAMP - CIO Council". CIO Council. Retrieved 19 December 2014.
- Solution guide: Manage mobile devices and PCs by migrating to Configuration Manager with Windows Intune
- Solution guide: Mobile device management for Configuration Manager 2007 customers planning to migrate to System Center 2012 R2 Configuration Manager
- System Center Configuration Manager TechNet Library
- Windows Intune TechNet Library
- Open Mobile Alliance Device Management Public Documentation
- How mobile device management works
- Open In Management for Mobile Device Management