The Death Of MDM?

Mobile Device Management

More of us are using our personal smartphones for work. The good news is that employees tend to be more productive and efficient. The bad news is that proprietary business data is increasingly at risk. To solve this, companies have introduced mobile device management (MDM) solutions that secure the smartphones and tablets that employees bring to work, providing secure access to business applications and data.

But the traditional MDM solution may not survive given the growing concern over user privacy. At the same time, mobile device operating systems are evolving to deliver much better security for both privacy control and data protection.

Employees are starting to rebel against MDM. One of the biggest concerns is that an MDM solution has nearly complete control over the device and users either accept it so that they can get access to company resources and data, or they just don’t use their own device for business use.

The problem is that the mobile device must enroll with an MDM solution and accept the policies IT has defined, which allows them to control critical aspects of the device, but also provides the necessary privileges to issue remote wipe commands (if the device is lost or stolen) and request a full list of all the applications installed on it. Those applications could reveal a lot more information than someone might care to share, such as personal hobbies, religious beliefs, marital status and even sexual preferences.

This is far too much information for IT, which frankly they don’t need. IT has been conditioned over the years, based on their policies for laptops and PCs, to want to control which applications are installed and to prevent users from installing anything that is not explicitly approved.

But on mobile devices, this control is not necessary as long as the devices are not jailbroken or rooted, which turns off the built-in application isolation technology built into the mobile operating systems. The MDM really only needs to check to make sure the device is not compromised – it does not need a full inventory of applications installed, only those business applications it has installed itself.

Many MDM solutions today do provide the administrator with more granular controls, which means they can selectively wipe and secure only parts of the device. But the fact remains that employees have concerns about the lack of privacy on their personal phone and that personal information – photos, applications, contacts etc. – could be at risk when the phone is wiped.

There is a better way to protect business information and applications without giving full control to IT staff. Both Samsung and Apple are pioneering ‘container’ solutions that isolate business information from personal apps and data. Full MDM capability is no longer necessary now that IT can manage the container technology provided natively by Samsung KNOX and Apple iOS. These containers are built into the Mobile OS to provide the necessary controls and data protection to ensure that business applications and data are secured in order to meet specific business requirements.

Apple provides a virtualised container environment, which can be turned on via its management controls so that managed accounts and apps can be configured to share data between themselves while protecting that data from any of the other personal apps the user has installed on their device. When the management system removes the managed accounts and managed apps, it removes all business data including email messages, attachments, files and data that these business apps may have downloaded or cached on the device. All of this is done without changing the user’s experience on the device.

Samsung has built a secured version of Android built on SE Android to secure devices, applications and data, as well as provide a KNOX Workspace, a secured container for business to clearly separate personal from work. The KNOX Workspace provides an environment where IT can control the apps and accounts that are used within the container to protect business accounts, attachments and data. It also provides controls over the Workspace so that management of the device is not required in order to provide the level of assurance needed to enable business usage on the user’s personal device.

With these evolving solutions, the need for full MDM capabilities – and all of the user concerns about them – is fast becoming redundant. Users only need to register their device in order to have business applications and accounts configured within the container, so IT can then provide them with access to the business without the need to dictate the security policies over the whole device. Cue happy employee and happy IT department.

Barry Scott

Barry Scott is EMEA Technical Director of Centrify where he enables customers to use their existing infrastructure to control, secure and audit heterogeneous systems, mobile devices and applications. Barry has over 25 years’ experience in Windows, Unix and Linux environments, working with organisations across every major vertical. Prior to Centrify, Barry held various infrastructure operations and architecture roles as a Consultant at many organisations.