Creating a mobile device management (MDM) program can be a daunting prospect given the central role smartphones and tablets play in many workplaces.
People want to use their phones anywhere and anytime so securing those devices can be problematic. A heavy-handed approach to locking down devices can easily get staff offside, however.
Something to avoid is having oversimplified MDM solutions that users end up ignoring or working around when you want to secure the data, according to IBRS senior advisor Joe Sweeney.
According to Sweeney, enterprises will start to see MDM embedded in a broader range of digital workspace solutions.
“MDM is quite fundamental in how you secure your business activities,” he said.
“What you are putting into your security round is the information, processes and the application. All of those things must be considered when you are looking at MDM.”
However, Sweeney said that IT managers should view MDM as a service rather than a product. Instead of buying the technology outright, enterprises can look at an MDM subscription model.
“The telcos are really hungry to secure and add value to their network business,” Sweeney said.
“They have got into bed with a few MDM vendors and so when you are negotiating your telecommunications infrastructure, it’s a really good time to say `throw in an MDM.
“You can embed in your network contracts your MDM contract. In many cases it will be bundled in for next to free.”
This also turns the procurement of MDM from being a product discussion into a service discussion.
Gartner enterprise mobile analyst Ken Dulaney said the end user and the IT department need to “come together” when it comes to MDM.
“Instead of being dictatorial, IT needs to become more advisory,” the analyst said.
“They do that by providing some options to the end user that they can choose. Every option has certain privileges and consequences.”
The three key vectors are user responsibility, approaching security and support delivery.
There is the fully managed option where IT supports and owns the mobile device.
“If the user decides that they don’t want that device within reason, they can make other choices at their own expense,” Dulaney said.
“That’s where bring your own device [BYOD] occurs and this is semi-managed.”
Responsibility is split between IT and the end user but support is mostly up to the employee.
“IT only takes the role of making sure the content gets to the device,” he said.
In containerised mobile security models, business information is kept separate from personal information.
In some cases, businesses opt for a signed agreement with the employee where they agree to the device being wiped if it gets stolen or compromised.
Dulaney said end users and IT need to come up with a framework where both parties will agree who is responsible for support and security.
Once you have selected an MDM service, having a culture that understands risk and security is also important.
Establishing a culture where everyone understands the ramifications of doing something that can increase the risk profile is needed. At the same time, a balance is needed to ensure that employees are still productive with mobile devices.
“Unfortunately, IT departments in the past have been so risk averse they have tried to lock out the ability for people to use common sense. That’s impossible and just doesn’t work in this day and age,” Sweeney said.
He added that enterprises need a purpose driven culture that understands there is risk.
A good example of that is not opening up file attachments from unknown sources.
The next piece is addressing digital mobility. Part of that strategy is understanding identity management and the risk stance on an application-by-application basis.
“Most people do mobility in one project at a time,” Sweeney said.
“If you do it that way you are going to end up with a total mess. Your MDM will be fragmented and it is a real risk profile mess.”
“If you have a purpose culture than your mobility strategy will come out of those discussions,” said Sweeney.
Follow Hamish Barwick on Twitter: @HamishBarwick