You are here

You are here

MDM in the remote era: 4 trends that matter to your security

Matthew David Digital Leader, Accenture

Enterprise mobility management (EMM) tools allow mobile device management (MDM) software to manage devices on a company's network. That means you don't have to do the work yourself. For example, if you use iOS devices at work, then you use your employer's device management software.

The role for MDM is evolving and expanding as pandemic-driven work-from-home activity continues—and may never go back to the way things were. This means that we must now manage all personal devices with MDM software.

Is today's MDM technology up to the job? Here are four key areas where MDM technology and operational trends have evolved in the last year in response to these new demands.

1. MDM expands its device scope

A typical enterprise may have over 10,000 wireless access points. Instead of requiring network admin personnel to run multiple networks, MDM software can manage all IT devices. An MDM app is built into the mobile device's operating system, so an administrator selects the device to log in with and is connected directly to all company data on the device.

Whether it's in a small office of 10 employees or a large global enterprise, a device with MDM software can identify who is working and on what. Each worker uses an identical credential that is used across an organization. The device administrator can access company records and manage remote access to the system and computers from any location.

Security is a critical part of MDM. A managed mobile device can only connect to the MDM app, so if it relates to another network—for example, a coffee shop's Wi-Fi—it should connect to the MDM network and not a different company's system.

For example, an employee can log onto a co-worker's laptop and view shared files. All of the files are secure and not available to the company network.

Also, the app can manage data roaming. Suppose an employee leaves the company and uses a device that's not connected to the MDM network. In that case, the employee can log out of the company system, and any confidential information on that device is wiped off. There are many MDM tools out there, and it's essential to understand which MDM platform best fits your needs. 

1. Android and iOS get into the MDM game

For many years, Apple has been making MDM management for iOS, padOS, and macOS easier. With the release of iOS 14, Apple included these features:

  • Automated Device Enrollment improvements: Large-scale enrollment for hundreds of iOS devices has been around for several years. Each year, however, is an opportunity to improve the functionality. Now you can add tvOS and macOS to the iOS and padOS rollouts. 
  • UAMDM and Supervision Consolidation: This is specific for macOS. User Approved MDM (UAMDM), and Supervision Consolidation have been merged, making device management more effortless. UAMDM gives mobile device management (MDM) software additional options beyond what is allowed for macOS MDM enrollments that have not been "user-approved."
  • Managed OS updates: Both macOS and iOS/padOS updates to core OS can be deferred for up to 90 days.
  • Content caching metrics via MDM: Content caching enables the "sharing" of downloads from Apple (whether they are apps or OS updates) across devices on the same network. This reduces the amount of Internet bandwidth used for a site and speeds up installing already-cached downloads to devices.
  • Encrypted DNS settings: As an administrator, you can control users' privacy and security by encrypting DNS traffic between devices and DNS servers.
  • VPN-tied profiles: You can now align profile-specific payload types to VPN profiles. The result causes the OS to send traffic over a VPN connection when interacting with these services. New classes include CalDAV, CardDAV, Exchange ActiveSync, Google Account, LDAP, Mail, and Subscribed Calendar.

Apple continues to invest heavily in its enterprise MDM features, and Google is determined not to be left behind. For many companies, Android has always had challenges with MDM controls. Unfortunately, Android has not had a perfect record for implementing consistent MDM solutions. That said, Google is serious about offering MDM protection for the enterprise. To this end, it offers Android Enterprise for MDM coverage. This gives companies that want to roll out Android devices decent coverage.

The recently released Android Enterprise Essentials ups the game. Critical features include:

  • Remote device activation lets users start working from wherever they are.
  • Policies can be applied automatically.
  • Companies can remotely wipe devices and reset screen locks.
  • Data is protected if the device is lost or stolen.

Essentials now give enterprises the assurance they need to roll out Android devices en masse. This is essential for us, as my teams will often look to Android as an alternative solution. For instance, when the budget is an issue, you apply Android Enterprise and Android Essentials to the $30 Android-powered Moto e6. This is far cheaper than the cheapest iPhone. 

3. MDM ties into identity management 

Fundamentally, you have to assume that every mobile device is inherently insecure. My team takes this approach and makes it a foundational element for all work we do with machines. By making this conscious decision, you can address the following questions:

  • Who is using the device?
  • What data is being used on the device?
  • What credentials should be used to protect the device?

As you have seen with the MDM enhancements listed above for both iOS and Android devices, there is a consistent focus on security and identity. 

The impact of ignoring security is massive. MDM tools now make it much easier for you to include protection for the device and the identity of the person using the device. Take advantage of these significant improvements. 

4. MDM takes on the app stores

The final challenge for managing devices, particularly personal devices not owned by a company, is the apps you cannot control. In this space, Android is ahead of Apple in that Google gives MDM administrators much tighter control over how data is stored and shared on a device. Apple is not far behind, but Apple still allows device owners to install any app on their devices.

Fortunately, Apple's App Store has a good record for keeping nefarious apps out of the marketplace. The challenge is restricting data easily copied from a corporate email and posted onto social media apps. To this end, Microsoft's Intune and MobileIron do have tools that prevent corporate data from being copied to personal apps. The MDM administrator, however, must activate enhanced security features.

The new normal means new controls

Devices are more a part of our lives today than ever. The pandemic drove millions of people to work from home. Reliance on PCs, tablets, and phones has skyrocketed.

As 2021 moves on, it looks as if we may start to return to normal. However, some elements of our lives are forever changed, and working from home is one of those. Make sure your team is deploying the best defenses available.

Keep learning

Read more articles about: SecurityData Security