In the first blog of this series, Components of a Holistic Mobility Solution we described several components that are integral to a full mobility solution. This included the management of devices and applications, applications and client virtualization, data access and protection as well as identity management. In this post, we are going to discuss mobile device management (MDM) and mobile application management (MAM) in more detail.
The previous post described the purpose of mobility as securely enabling employees to perform their jobs from a variety of locations using a variety of devices. Management of the devices and applications in a mobility solution is integral to ensuring the security of the solution as well as for enabling access for mobile workers.
Mobile Device Management
Mobile workers can use a variety of devices in the course of getting their work done. These devices may be a combination of corporate owned as well as personally owned (BYOD) devices. With an effective MDM strategy, a company can allow workers to be more productive through the use of devices they want to use regardless of location.
MDM requires that a mobile device be enrolled as a managed device. The process of enrollment will validate that required company policies are enabled and enforced on the device. These policies could include items such as enforcing an unlock PIN on the device, enforcing encryption, or ensuring that the device has not been rooted or jailbroken.
Once the device is enrolled and all policies are enforced, the device is allowed to connect to company applications and data. These policies are also periodically re-evaluated to ensure that the device remains in compliance. If there is a compliance issue then access to company applications and data is automatically revoked until the compliance issue is resolved.
MDM enrollment is an obvious choice for company-owned devices. Personally owned (BYOD) devices can also be enrolled as long as the user agrees to allow the enrollment process to enforce company policies.
While MDM enforces company policy at the device level, there is also a need for protection at the application level.
Mobile Application Management
A complete mobility solution will provide MAM in addition to the MDM protection already discussed. MAM covers a broad range of application-related management including:
- Deploying and updating internally developed, company provided, or public app store applications
- Controlling access to those applications
- Implementing application configurations
- Enforcing data loss prevention (DLP) policies
- Removing applications when necessary
- Managing volume application purchases
MAM policies are configured based on a variety of factors including location, user sensitivity, app sensitivity, encryption state, passcode enforcement, multi-factor authentication (MFA) and more. MAM allows for specific management and policy control to be applied to individual applications. A few examples of specific MAM scenarios are:
- Enforcing the use of a managed web browser
- Blocking the ability to copy/paste from managed applications into non-managed applications
- Wiping corporate data from the device if it is retired or un-enrolled.
- Enforcing conditional access to an application based on various requirements
- Requiring a PIN in order to access an application
The degree to which applications can be managed will vary based on the chosen MAM solution as well as the management capabilities of the mobile OS and, in some cases, the application itself. Of particular note, Microsoft’s EM+S solution is the only Enterprise Mobility Management suite that can natively manage the DLP settings of Office 365 mobile applications.
In a BYOD scenario, it is possible to manage the device and application so that only corporate data is impacted by the MDM or MAM policies. For example, if a mobile worker uses a personal phone or tablet to access corporate data and leaves the company, a command can be sent to that device to wipe only the corporate applications and data while leaving personal applications and data intact.
Another MAM scenario involving BYOD devices is the ability to use MAM without requiring the device to be enrolled in the corporate MDM solution. The scenario is called “MAM without enrollment.” This is an effective strategy when a company wishes to provide access to some applications via personally owned devices without enforcing full MDM enrollment and policies on those devices.
The next post in this series will discuss applications in more depth as well as break down how client virtualization fits into a mobility strategy. To read more about MDM and MAM, consider these articles from AirWatch and Microsoft:
For more enterprise management and deployment tips follow me on Twitter @VerbalProcessor, or call your CDW account manager and ask to speak to a solution architect for answers to specific questions.