When I am designing a solution for a customer more and more of the discussions come back to BYOD and how to secure corporate information on these devices whether email is moving to Exchange 2013 or to Office 365. Some clients are in the process of testing and implementing a solution for their corporate email. My role becomes one of validation of the solution to make sure it will meet certain corporate requirements as well as be compatible with their future messaging solution.
The Players
Typically I see four major solutions when it comes to securing a device in the BYOD world:
- Exchange Active Sync polices – basic and free
- Microsoft EMM – which includes Intune – relatively new
- AirWatch – the current leader (At least with my clients)
- Mobile Iron– a close second for my clients
Yes, there are more solutions, there are other vendors (Citrix comes to mind), however I have not seen that deployed at a customer site in the past few years. Typically its Airwatch or Mobile Iron with Microsoft getting a spin, but not quite the full ride yet from each client. All these solutions share similar characters – works in the cloud and on-premises, provides more control than your basic EAS policies would for Exchange/Office 365 and provide reporting and searching capabilities out of the box.
Why MDM?
In the early days of SmartPhones we have Windows 2003, Treo’s and the like. These devices were originally designed to be ActiveSync only which usually meant a corporate phone with complete control to wipe and retain phones for future employees. Good software, BlackBerry (with their own proprietary connections to Exchange) and other early MDM provides would start out with enhancing this sense of control. As an Industry we have surely seen this sense of control change to one of management where a user can bring a device into an environment and not expect their employer to take full control and ownership of the device.
Enter the world of BYOD.
By now the IT Support staff of most companies are well aware of the BYOD transition. This transition has made corporate environments a bit more unpredictable (models are never the same, nor the underlying OS on a phone). Without corporate policies, some IT departments were/are in a predicament when an employee leaves. What can be wiped, what control do they have and how is the easiest way to perform this removal of corporate data without the need to wipe the device and delete non-corporate data.
Why Cloud?
As with a lot of other software, there is either an app for that or a hosted service (cloud) solution for that. The same can be said of mobile device management. The move to cloud simplifies an administrators job as well as making mobile security easier to roll-out. Gone are the days of the having a hardware solution to go with your on-premises infrastructure. Most if not all vendors either offer a cloud based solution or only off a cloud based solution. This also requires less administration / security processes that add to the work-load of an administrator.
Now with the movement to BYOD, having a hosted solution for your mobile device platform enables you to isolate corporate data from personal data in a reasonable fashion. We can deploy apps (custom apps as well, enable email access as well as enable VPN access all with mobile device management software. We can also remove this corporate data without disturbing personal data.
Supportability-wise we are also able to rely on engineers of these companies to provide up to data features and troubleshooting help. Thus taking some stress of the support engineer or administrator.
Analysis
At the writing of this article, I feel that Microsoft has come a long way in their offerings for mobiles devices and Office 365. This includes their basic Active Sync implementation to their EMM products. However, they still have some ways to go to provide the same level of functionality for their clients. In the meantime, both Airwatch and Mobile Iron have captured my clients attention and usually end up either playing one against the other or just picking the one that happens to match their criteria.
The features I find to be of particular attention is the mobile container (isolate work related information), whether the solution is cloud based or an appliance, what devices do they support (and well!), security on the container and finally remote wipe or erasing corporate information only when a person leaves.
When I began working on SmartPhones, there was no concept of containerization. Phones were corporate phones and only contained corporate data. If you left, the device was wiped by your BlackBerry server or by Exchange. Phones and plans were not as sophisticated as they are today. With the shift to BYOD over the past 4 years or so, we now have what appears to be a ‘hybrid’ phone where some corporate data in on the phone and some personal data is on the phone. Wiping a device in this state requires a bit more attention and better management software. This is where all the MDM vendors come in as the Exchange Active Sync protocol (cloud or on-premises) can only do so much and certainly cannot do a selective wipe at this point.
Which MDM Solution
It would be great if there was just one great solution for your MDM service. However, I cannot recommend just one because, as I tell my clients, ‘It Depends’. It Depends on how much you want to spend on MDM. It Depends on who is going to manage the solution. It Depends on what your end user base is. It Depends on how secure do you need your devices to be (compliance anyone?). It Depends on the devices you have. It Depends on what features you need from the products.
As you can tell from my paragraph above, I won’t be pointing out what solution will work for you. There are too many variables that come into play. If you can get a free demo for a few devices. See how it works, read the manual and talk to sales and engineers for the company. Check out reviews and other guides that go into detail on what each solution can offer. Narrow the selection down to 2 or 3. Then see what pricing you can get and if it will work within your budget. Finally, pull the trigger. Nothing I worse then no decision at all. After vetting vendors, there should be a solution or solutions that will satisfy your requirements.
Office 365 – MDM / In-Tune
Microsoft has recently started introducing more MDM features into basic Office 365 licenses like Business Premium. While In-Tune provides a more full featured approach to MDM, the built-in features allow those new to Office 365 and MDM to get their toes wet in the MDM pool. With features like:
- Office 365 Admin Console access
- Conditional access – security policies to allow only certain devices to connect
- Device management – set security policies, restrict jail broken devices, etc.
- Selectively wipe – Remove only company data
A corporation can provide some level of protection even with this basic functionality. With In-Tune, Microsoft introduces more enterprise level features like:
- Advanced mobile device management – certificate, enrollment, wifi, email profiles and more
- Mobile application management – deploy apps, secure apps, wrap other apps, other secure apps/content
What to Do?
In the end, I always recommend that a client go the route of putting in an MDM solution. Whether this is a full featured solution using a well-known vendor or utilizing something basic like Office 365 MDM that is included with their licensing. With the transition almost complete to BYOD and a lot of clients going to cloud, the solution needs to fit multiple needs which include things like Office 365 integration, containers for corporate data, custom apps and compliance rule sets. The best of breed appears to be moving to cloud-based solutions, form their former appliance days. I expect this to continue for most vendors and I expect corporation will adapt to what first their needs. I believe that choosing an MDM solution is a must for securing your mobile users both for their data as well as your company’s
Further Reading
Introducing built-in mobile device management for Office 365
BYOD Basics: Mobile Device Enablement Via Office 365
Bring Your Own Device Scenarios: A Deployment Guide for Education
MDM vs. In-Tune
