Management and control

MDM systems are often not necessary right away for companies with a small number of mobile workers, whose managers often believe their IT-department can handle it effortlessly. But a reality

MDM systems are often not necessary right away for companies with a small number of mobile workers, whose managers often believe their IT-department can handle it effortlessly. But a reality check can quickly dispel this illusion.

The usage of personal smartphones and tablets by employees for work purposes gives IT-support a number of new tasks:

Connecting the device to the network. Configuring the OS, installing and setting up the necessary applications and downloading and enabling certificate takes a lot of man-hours. Potential security holes of the device, such as an iOS jailbreak or an Android rooting should be detected at this stage.

Protection against malware. It is not enough just to install a mobile antivirus, it must be updated regularly as well. You also need to make sure that there are no malicious and potentially dangerous programs on the device. Phone settings can be unsafe, too. For example, the permission to install programs from unknown sources in an Android OS dramatically reduces the security of the device. Most importantly, all of this has to be done regularly, so phones should be taken away periodically to do so.

Assured data protection against unauthorized access. Important data is to be encrypted, otherwise there are no safeguards against them falling into the wrong hands, or preventing things like a hardware interrogation done by a special device for extracting data. Moreover, all applications processing sensitive data should not transmit them unencrypted.

Software Update. Outdated software may not just cause you problems, it could also threaten the security of corporate information. Again, the device has to be taken away periodically: even sending updates via email will not guarantee that employees will actually install them.

Updating settings and data. The need to periodically update the database of corporate contacts on the devices of employees is half the trouble. However, changes of the corporate network infrastructure can cause even more problems. For example, modification of the VPN server parameters can instantly breed an outbreak of appeals to IT-support, which would force administrators to have to spend time reconfiguring clients’ devices.

Deleting corporate data on the device if it is lost. Antiviruses and specialized applications have “anti-theft” functions, but when the loss of a device is not accidental, it immediately disappears from the network, and the deletion of data fails. Hackers get all the information.

Under this burden, the IT-department is quite unlikely to process all incoming requests and should implement an MDM system. All of it can be done remotely, automatically, in whole or in parts! But it is worth considering that each developer has his own view of the necessary MDM system functionality; therefore the choice may be a nontrivial task.

What is a modern MDM system capable of? Let’s list the main features:

Remote installation. To connect to the MDM system and obtain the required software, an employee does not have to give away his/her smartphone or tablet to IT-specialists. All required operations can be performed automatically after following the link sent by SMS, email or on paper in the form of a QR code.

Configuring the device. The system administrator should be able to remotely change settings and enable or disable functions of the device without assistance from the user.

Mass update. The system must allow remote installation of patches and software updates on all company devices as they sync with the system.

Mobile devices audit. The administrator must have full information about the characteristics of the employee’s smartphone or tablet, of the programs installed on it, and of emerging software and hardware errors. In addition, the control of current device settings is important. The owner of the device can just unwittingly disable a vexing function, directly affecting the data security (for example, obligatory entering the pincode). A jailbroken iOS device or a rooted Android phone may also become a critical security breach.

Managing the device’s security policy. The user’s common sense is unreliable when it comes to information security. The administrator must have the required security policy enabled on any new device connected to the corporate network.

Assured security of corporate data. The data must be protected anyway, but the MDM system developer should choose the right means to do so, like through antivirus software, encryption or application containerization. In addition, in case of a lost device or an employee dismissal, the administrator should have the opportunity to completely remove all corporate data from the phone.

The last point is one of the most technically challenging. For this reason many MDM systems are simply unable to protect against the full range of threats facing customers, forcing them to purchase additional means to ensure the security of their mobile devices.

Perhaps the most difficult and time-consuming task is implementing a transparent application container. The application must maintain data exchange solely by means of the container with its performance entirely preserved. It is not enough to determine which methods of the operating system’s API can be used to transmit unencrypted data, one must also find out what effect interfering in its work may have. For example, to develop the transparent containerization technology that does not affect the application’s performance, the creators of the MDM system for “Kaspersky Security for Business” had to test tens of thousands of apps from Google Play. They had to write a custom application, which downloaded executables and installed them in a container. The testing was also done in the automatic mode, since running that many applications manually would have taken ages.

The quality criteria

All MDM systems without exception are designed to operate within corporate networks; this is why they are subject to very stringent requirements. Creating a high quality MDM system that can protect the mobile device within a corporate network is a difficult task, and each developer has his own approach to it. For example, when developing the MDM system for “Kaspersky Security for Business” the following priorities were set:

• Security of mobile devices from the full range of cyber threats without involving third-party products (antivirus programs, firewalls, etc.).

• Integration with the enterprise security systems. Ideally, the security of mobile devices should be managed from the same console as the rest of the network security management.

• Simplicity and user friendliness. To connect to the system and use it, the user must not have any skills that go beyond the basic skills of handling the device. All settings and installation steps must be performed by the administrator remotely.

• Wide coverage of various client devices within the BYOD paradigm. Almost all mobile operating systems and hardware platforms on the market have to be supported.

• Managing all system functions from a single console with respect to both stationary workplaces and mobile devices. The convenience and ease of maintenance is the most important means to ensure reliable operation of the system. The mutual integration of one vendor’s products plays a major role in that.

• Low total cost of ownership. The product must provide the maximum range of required functions for mobile device management and data security without involving third-party products.

Moreover, with a system of this kind it is not enough to have just rich functionality. Above all it should be convenient for both the user and the administrator. MDM system’s customers value the time of their employees, and the ease of mastering the product often is an important criterion.

Conclusion 

A proper MDM system is not just capable of giving employees the opportunity to remotely and comfortably work on mobile devices, it also eases the burden of IT-support and protects confidential data. More often than not, the most important consideration when selecting such a system is its functionality scope. Do not assume that one product will satisfy all of your requirements. It may need to be supplemented by third-party products, which may produce additional difficulties for the implementation and could increase the total cost of ownership. In other cases the key factor is the quality of the vendor’s technical support, and sometimes the total cost of ownership plays a major role, which may also affect the selection criteria. In other words, no system is perfect, and the probability of “hitting the bull’s eye” depends primarily on the accurate framing of the customer’s requirements.

Tips