Post on 03-Apr-2018
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
1/22
MOBILE DEVICE MANAGEMENT
DEPLOYMENT,RISK MITIGATION&SOLUTIONS
From
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
2/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 2 of 22
NOTICEThis document contains information which is the intellectual property ofNetwork Intelligence. This
document is received in confidence and its contents cannot be disclosed or copied without the prior
written consent of Network Intelligence.
Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied.
Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including
but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual
property or other rights of any third party or of Network Intelligence; indemnity; and all others. The
reader is advised that third parties can have intellectual property rights that can be relevant to this
document and the technologies discussed herein, and is advised to seek the advice of competent
legal counsel, without obligation of Network Intelligence.
Network Intelligence retains the right to make changes to this document at any time without notice.
Network Intelligence makes no warranty for the use of this document and assumes no responsibility
for any errors that can appear in the document nor does it make a commitment to update the
information contained herein.Copyright
Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved.
NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt.
Ltd.
Trademarks
Other product and corporate names may be trademarks of other companies and are used only for
explanation and to the owners' benefit, without intent to infringe.
NIICONTACT DETAILSNetwork Intelligence India Pvt. Ltd.
204 Ecospace, Old Nagardas Road, Near Andheri Subway, Andheri (E),
Mumbai 400 069, India
Tel: +91-22-2839-2628
+91-22-4005-2628
Fax: +91-22-2837-5454
Email: info@niiconsulting.com
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
3/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 3 of 22
Contents
1. Introduction .................................................................................................................................... 5
2. Typical Design of MDM solution ..................................................................................................... 7
3. Understanding BYOD and MDM ..................................................................................................... 8
a. Bring Your Own Device (BYOD) policy and MDM in an enterprise ............................................. 8
b. Are BYOD and MDM same things? ............................................................................................. 8
c. If I have a BYOD policy at my company, is MDM deployment necessary? ................................. 8
d. Okay, so how do I effectively communicate mobile security policy to employees? .................. 8
4. Adopting "Personal-liable approach" for Mobile Devices ............................................................ 10
a. Benefits in adopting "Personal-liable approach" for personal mobile devices ........................ 10b. Security costs incurred for adopting personal-liable approach ................................................ 10
c. Questions to ask before opting for Personal-liable approach for MDM .................................. 11
5. Selecting an optimal MDM delivery methodology ....................................................................... 12
a. Premise-based ........................................................................................................................... 12
b. Software as a Service (SaaS) ..................................................................................................... 12
c. Managed Services ..................................................................................................................... 12
6. Designing BYOD policy before deploying MDM ............................................................................ 13
a. Do your Homework ................................................................................................................... 13b. Identify user needs ................................................................................................................... 13
c. Enacting a End-User License Agreement (EULA) corporate policy ........................................... 14
d. Addressing the privacy concerns .............................................................................................. 14
e. HR and Legal concerns .............................................................................................................. 14
f. Training Users and Helpdesk Support ....................................................................................... 14
g. Addressing Authentication issues ............................................................................................. 15
h. Defining Mobile Device Security Rules ..................................................................................... 15
7. MDM Deployment ........................................................................................................................ 16a. Policy ......................................................................................................................................... 16
b. Risk Management ..................................................................................................................... 16
c. Configuration Management ...................................................................................................... 16
d. Software Distribution ................................................................................................................ 16
e. Procurement issues ................................................................................................................... 16
f. Device policy compliance and enforcement ............................................................................. 16
g. Enterprise Activation / De-Activation ....................................................................................... 17
h. Enterprise Asset Disposition ..................................................................................................... 17i. User Activity Logging ................................................................................................................. 17
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
4/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 4 of 22
j. Security Settings ........................................................................................................................ 17
8. Challenges during MDM implementation..................................................................................... 18
a. Hidden costs and corporate governance issues ....................................................................... 18
b. Employee unawareness about information security while using mobile endpoints................ 18
9. Picking the right MDM vendor ...................................................................................................... 19
10. MDM vendors ........................................................................................................................... 20
a. Popular MDM Vendor List......................................................................................................... 20
b. Salient Features of some of the leading MDM vendors ........................................................... 20
11. How we can help your organization? ....................................................................................... 21
a. Strong support of Solutions Team ............................................................................................ 21
b. Security Awareness Trainings ................................................................................................... 21c. Social Engineering Exercises ..................................................................................................... 21
12. References ................................................................................................................................ 22
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
5/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 5 of 22
1.INTRODUCTIONThe explosive growth in the popularity of mobile devices and growth in their powerful
features has led to a sharp rise in the usage of smartphones, tablets and mobile POSdevices in the corporate world. Apart from the mobility advantage, these devices have
become more efficient to offer better business growth and increased networkingadvantage to bring better employee productivity at the workplace. As the market for
these devices continues to develop at an exponential rate, concerns about the safety ofthe sensitive corporate data present on mobile device, in transit or at rest also grow
proportionately as the tracking the data, relying on its integrity becomes increasinglychallenging. Further enforcing corporate governance, complying with local laws andtrans-border regulations also pose a serious challenge in this case. Hence a technical
method to secure, monitor, manage and supports mobile devices deployed across mobile
operators, service providers and enterprises is need of the hour which has led to the
development of Mobile Device Management(MDM).
What is Mobile Device Management (MDM)?[1]
Mobile Device Management (MDM) software secures monitors, manages and supports
mobile devices deployed across mobile operators, service providers and enterprises.
MDM functionality typically includes over-the-air distribution of applications, data andconfiguration settings for all types of mobile devices, including mobile phones,smartphones, tablets, mobile printers, mobile POS devices, etc. This applies to both
company-owned and employee-owned (BYOD) devices across the enterprise or mobiledevices owned by consumers.
By controlling and protecting the data and configuration settings for all mobile devices in
the network, MDM can reduce support costs and business risks. The intent of MDM is to
optimize the functionality and security of a mobile communications network whileminimizing cost and downtime.
What do you mean by "over-the-air"?
Over-the-air programming (OTA) capabilities are considered a main component of
mobile network operator and enterprise MDM software. These include the ability toremotely configure a single mobile device; an entire fleet of mobile devices or any IT-
defined set of mobile devices; send software and OS updates; remotely lock and wipe a
device, remote troubleshooting and so on. OTA commands are sent as a binary SMSmessage. MDM enables IT departments to manage many mobile devices used across the
enterprise.
What is Open Mobile Alliance (OMA)?
The Open Mobile Alliance (OMA) is a standards body which develops open standards forthe mobile phone industry. OMA Data Management specification is designed for
management of small mobile devices such as mobile phones, PDAs and palm top
computers. It supports the following typical uses:
Provisioning Configuration of the device (including first time use), enabling anddisabling features
Configuration of Device Allow changes to settings and parameters of the device
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
6/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 6 of 22
Software Upgrades Provide for new software and/or bug fixes to be loaded onthe device, including applications and system software.
Fault Management Report errors from the device, query about status of device
Since OMA DM specification is aimed at mobile devices, it is designed with sensitivity tothe following:
Small foot-print devices: where memory and storage space may be limited Constrained Bandwidth of communication: Such as in wireless connectivity Tight security: As the devices are vulnerable to virus attacks and the like; Authentication and challenges: Are made part of the specifications
Why the sudden demand for managing mobile devices?
The popularity in usage of personal smartphones and tablets has created a strong
demand to use personal devices at work. Employees feel more comfortable in using theirown personal devices for work and are willing to bear the cost of liability, maintenance
and upgrades. Employee morale boost and cost savings to the employer are the majorattractive factors to opt for the employee-liable approach to use their personal devices at
workplace. Also, the obvious networking advantages offered to C-level executives,
managers and top management directors for extending the business growth andexploring profitable avenues while on the move presents a compelling case to use mobile
devices at workplace or during travel.
However, risks associated with these devices such as sensitive corporate data going into
wrong hands and dangers of facing litigation suits due to intentional/unintentional databreach or data losses suffered due to lost/misplaced device makes a ready case for
managing the mobile devices. There are also legal and HR related issues that need to be
ironed out if there is a case of adopting employee-liable ownership approach for the
accountability of the devices.
An organization will still be responsible to maintain security for these mobile devices as
per the SOX, HIPAA etc. federal mandates, but since the devices are not owned by theorganization, securing the device and the data becomes a tricky issue here as
organization may or may not own the mobile device in question at the first place. Thusenforcing accountability becomes tricky in such cases.
Using Mobile Device Management (MDM) solutions, organizations can partially ownthese devices by enforcing corporate policies and procedures to them. Hence the
importance of investing in MDM solution makes sense in these situations.
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
7/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 7 of 22
2.TYPICAL DESIGN OF MDM SOLUTION[1]Typically solutions include a server component, which sends out the management
commands to the mobile devices, and a client component, which runs on the handset,receives and implements the management commands. Optionally, vendor may provide
both the client and the server, in others client and server will come from differentsources.
Central remote management, using commands sent over the air, is the next step. An
administrator at the mobile operator, an enterprise IT data center or a handset OEM canuse an administrative console to update or configure any one handset, group or groups ofhandsets. This provides scalability benefits particularly when the fleet of managed
devices is large in size.
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
8/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 8 of 22
3.UNDERSTANDING BYOD AND MDMa. Bring Your Own Device (BYOD) policy and MDM in an enterprise[ 1 ] As Bring Your Own Device (BYOD) business policy is becoming more popular,
corporations can use MDM to allow employee-owned devices inside the corporate
firewall due to better device management capabilities. Employees also have morefreedom to choose the device that they like instead of being forced to use particular
brands by the IT department. Using MDM, IT departments can also manage the employeedevices over-the-air with minimal intervention in their schedules.
b. Are BYOD and MDM same things?[ 2 ] No. BYOD (Bring your own device) is a business policy of allow employees to use theirown devices for carrying out business related work by granting access to company
resources backed by proper authentication controls. BYOD represents a policy of offeringmobility to a very broad range of organization resources typically delivered either by
robust mobile policy, or managed via implementation of MDM, DaaS (Desktop as aService) etc.
MDM can be thought as a subset of BYOD, which is designed to securely manage mobile
device endpoints by enforcing corporate policies over-the-air to the employees mobile
devices.
c. If I have a BYOD policy at my company, is MDM deploymentnecessary?
If you have designed and implemented robust BYOD policy properly across yourorganization then you have to evaluate your options carefully before going for MDM
solution. If the primary aim to adopt BYOD was to get rid of device ownership only, it willnot make sense to invest in MDM (esp. if your company is small or medium sized).
However, if your aim is to prevent sensitive data leakage and enforce device securitysettings for employees as they access sensitive corporate resources, or if your business is
rapidly scaling up, it definitely makes sense to implement MDM. Keep in mind that a
proper mobile security policy has to be there in any case to protect vital corporateinformation.
MDM helps to reduce costs and improve productivity in longer run when implemented
correctly for the organization. If implemented improperly on loosely defined security
policy, it becomes expensive to maintain and achieves little to safeguard sensitivecorporate information. Hence, proper care and precautions are needed to develop robust
mobile security policy before opting for MDM solution.
d. Okay, so how do I effectively communicate mobile security policy toemployees?[ 1 2 ]
Effective Communication means making the employees understand the policy as easily aspossible. Make it simple and direct while keeping it short, sweet and to the point. If you
can get employees to be aware of the security elements in your environment, they will be
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
9/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 9 of 22
the ones who will spot things report it immediately assuming they know what to spot andknow who to report it to. Make them aware of BYOD security policy first, not MDM.
Help your employees understand what is at risk. It comprises not just theft, loss or theexposure of information or device, but other risks, which they face while they are mobile.
Make them aware of the risks involved in the types of environments that they encounterwhile being mobile and how they should address them.
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
10/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 10 of 22
4.ADOPTING "PERSONAL-LIABLE APPROACH" FOR MOBILEDEVICES[3]
a. Benefits in adopting "Personal-liable approach" for personal mobiledevices
Many organizations may offer their employees a fixed monthly stipend to help offset theirmonthly voice and data bill. This approach results in predictable mobile expenses for the
corporation, and employees become responsible for the costs of their mobile devices and
data plans. Hence, expenses related to mobility-related asset management such asacquisition, maintenance, processing of payment for carrier invoices and disposal of
devices can be heavily reduced or eliminated.
The organization may also position itself as flexible employer and may be able to recruitand retain tech-savvy workers, who typically have a strong attachment to a favouritemobility platform. Productivity can be increased as employees have more options when
working out of the office. Additionally, organizations may be able to secure reducedmonthly costs for service and premiere-level support from the carriers for theiremployees.
It is generally observed that employees take better care of their personal belongings as
they are more attached to their devices because of the ownership they assume over them.
b. Security costs incurred for adopting personal-liable approachWhile the personal-liable model offers benefits for both employees and employers,addressing the important issues of security and governance become more complicated
and expensive. When sensitive corporate information is stored on a corporate-owned
device, the organization can implement and enforce strict controls on the operatingsystem and other features of the device, such as Wi-Fi and Bluetooth to preventunauthorized use of that sensitive information. But this is not the case in personal-liable
approach as the device owned by the employee is not a corporate asset but may carrysensitive corporate data.
Security measures are required to mitigate the risks associated with employees installing
applications from app stores. These untrusted applications may expose corporate data or
infect other devices in the organizations network. Also, the company might experienceadditional expenses to support multiple mobility platforms.
Support costs may increase as more, and higher-skilled, help desk personnel arerequired. Similarly, application development costs may increase. Organizations must
implement an employee agreement to address topics that include acceptable use ofpersonal devices and corporate access to the employees device. The financial
arrangements relating to stipends or reimbursement of actual expenses should also beincluded in this employee agreement. Corporate counsel should carefully weigh anyrecord-keeping requirements for SMS text messages or call logs made from mobile
devices and evaluate potential legal consequences of capturing this information fromemployee-owned devices.
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
11/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 11 of 22
Finally, employees may discover unexpected expenses associated with using their
personal device for work. While their current voice and data plans may be sufficient for
personal use, usage may expand dramatically when used for work calls and applications.The cost increase may be sharp; especially for employees who travel internationally,
where roaming charges are make the costs very expensive. If the organizationreimburses for actual costs, an employee may find that they spend several hours a month
separating their personal costs prior to submitting the bill for reimbursement.
c. Questions to ask before opting for Personal-liable approach forMDM
Are there any specific concerns that would preclude the use of employee-owneddevices?
Is the organization willing to implement additional security controls to allow abroader range of devices?
Is the corporation willing to accept a short-term increase in risk to allow newerplatforms access to data while the devices management and security tools
mature?
How will the organization respond to inappropriate material on a personally-owned device? Who decides what is inappropriate?
Under what conditions the organization could examine the personal property ofan employee?
What are the laws in your jurisdiction? Do laws differ whether the employee usesthe device for their own convenience?
If the risks associated with personal-liable approach are too high, is there a subsetof employees with a lower overall risk profile that might qualify for personally-
owned devices?
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
12/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 12 of 22
5.SELECTING OPTIMAL MDM DELIVERY METHODOLOGY[9]Three MDM Delivery mechanisms are available which you can choose depending on your
staff expertise and investment you are willing to make for deploying MDM in yourorganization.
a. Premise-basedIf you want to maintain a high degree of control and also have reliable IT skills and
resources, then would likely select a premise-based solution. This is ideal if you prefer todirectly control the systems security and administration. A premised-based MDM
solution requires a larger up-front investment.
b. Software as a Service (SaaS)If you dont want to maintain servers at your site(s) but still want the management and
administration to be in your hands, then you should consider an on-demand offering.Customers can negate or minimize the up-front cost and instead pay a monthly or annual
fee for the system.
c. Managed ServicesIf your IT department is over-extended or lacks required expertise, you can consider
managed services offering. This option allows you to turn the management function over
to experts who handle it for you. This proactive management service provides supportwithout draining internal resources and still provides regular status reports so that you
are aware of specific items like roll-outs, software/hardware updates andasset/inventory control.
Consider each method carefully. Enquire the vendor to look for one that can support all of
the deployment options to best serve you now and into the future.
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
13/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 13 of 22
6.DESIGNING BYOD POLICY BEFORE DEPLOYING MDM[5]A successful MDM implementation cannot be completed without proper planning of
BYOD business policy and procedures. While BYOD policies establish a common groundof communication between the employer and the employee and defines the boundaries of
data ownership present of the personal mobile devices, MDM offer the employer andorganization a peace of mind if any unwanted incident is reported. The security of the
data can be then be managed via remote wipe, encryption, self wipe etc.
a. Do your Homework Work with Legal and HR dept. to define personal device policy aligning with
organization information policy
Use Social Media to engage the dialogue with employees to get a feel of their workstyle and support needs
Develop new authentication methods and device management policies that helpsafeguard corporate information and intellectual property.
Provide employee trainings for information security and IT Service Deskpersonnel about personal device policy.
By applying safeguards to protect information and intellectual property, employees can
select the tools that suit their personal work styles and facilitate their job duties. Thisimproves their productivity and job satisfaction.
Identify minimum security specifications such as, Make Two- factor authentication mandatory to push e-mail Secure Storage using encryption Security policy setting and restrictions Secure informational transmittal Remote Wipe capability Ability to check viruses from server side Patch management and enforcement software for rules IDS capabilities on server side of connection
b. Identify user needsConstruct blog/online poll or questionnaire to find out the needs of the user. Take user
feedback on questions such as such as:
Why do you want to use your own device(s) for work? What would you give up to use your device for work? What does your personal device do to help you work? Would you increase security habits for more device freedom?
By analyzing the responses with close collaboration with HR and Legal Team, you can
make informed decisions about going forward for forming the policy on usage of mobiledevices.
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
14/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 14 of 22
c. Enacting a End-User License Agreement (EULA) corporate policyThe EULA provides the employees very clear instructions of what they can or can't dowith a device. Stress has to be placed for managing and protecting the corporate datastored on the device. Also, emphasis has to be placed not to share the un-locked device
with non-corporate user including friends or family etc. If any company's data resides ontheir devices, they should be backed up to company owned device by default. Types of
devices allowed such as tablets, smartphones etc. must be stated clearly in policy. The
EULA policy must be generic enough to cover all the allowed devices sufficiently.
EULA must be reviewed preferably each quarter to ensure as the technology and user
demand change, legal protection provided by the policy remains up to date. Users must
re-sign the updated EULA when they move to new technology. Finally, it should be madeclear that employees who refuse to sign EULA can't use personal devices to accesscorporate information.
d. Addressing the privacy concernsFor addressing the privacy concerns, policy must clearly define the following terms:
Corporate-own data: Business Data or intellectual property owned by company. Employee-owned data: Data owned by employee, such as task list, notes, family
photos.
Personal data: Data controlled by privacy legislation such as medical records,home address.
In cases where there is a cross-over between personal and corporate-owned data such as
calendar records, the policy should state clearly that during investigation, the confiscated
device's personal data may be viewed during forensic analysis.
e. HR and Legal concernsHR policy must state clearly under what circumstances the employees will be subjected
to be compensated outside their working hours. Time sheets must adequately reflect
those activities. Legal policy must state that in case of legal hold or eDiscovery, the
employee must immediately surrender his/her device on request after which all files maybe copied and relevant ones may be used to pursue legal matter. Employees who aresubjected to legal hold might have certain restrictions for device usage and should obey
to continue work under those restrictions.
f . Training Users and Helpdesk SupportStating the policy is the easy part. The hard part is to train users about what policy meansand how to protect information on their devices as the BYOD trend and MDM
implementation is relatively young and not well understood by users. Users must be
made aware of the risks/penalties that will result if sensitive corporate information isleaked out by accident/intention. Sharing the device with family and friends should be
discouraged and employees must be made aware of the risks that might emerge in adventof such behaviour. Violation of these rules must attract appropriate disciplinary controls
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
15/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 15 of 22
as defined by the policy. It is crucial for employees to understand that the helpdesk is tobe contacted first in case of lost/stolen device. Once the incident is reported, helpdesk
can quickly issue a data wipe on device over carrier wave. Many employees in a wave of
panic might inform carrier service about the device lost/stolen first. In such cases, datawipe can't be issued as the carrier service has already been shut down on request of
employee. Any charges incurred such as fraudulent calls etc may be reimbursed bycompany later.
Apart from employees, helpdesk and support staff must undergo mandatory training toreduce any chances of miscommunication for any query raised by the employees. Care
must be taken they don't accidently invalidate EULA policy by supplying incorrect
answers. Here, extensive mock drills must be conducted after every policy review or
revision to minimize such incidents from taking place. FAQ's manuals must be made
available online to everyone for ready reference.g. Addressing Authentication issuesFor better security, two-factor authentication is used for accessing the corporateinformation. But since the device is unknown in this case, challenge lies how to achieve it.For this, a random text message is sent to predefined phone number. Thus, the text
message sent by server is "must-know" factor and phone number is the "must-have"
factor which enables 2-factor authentication.
h. Defining Mobile Device Security Rules [ 1 2 ] A device used for accessing corporate data must have the following pre-requisites
The device user must have signed company's EULA policy. It must have personal identification number (PIN) It has to support a code lock It has to have an auto lockout feature It has to support encryption It has to support remote wipe.
Further, Security Policies must be enforced via MDM such as:
User-defined lock code of minimum length as defined in policy. Auto-Lockout period set as per policy Issuing Data Wipe if user reports the device to be stolen Automated Data Wipe issued (for corporate-data only or both) after x no of
incorrect tries to open lock-screen.
All corporate data is encrypted with a strong key
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
16/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 16 of 22
7.MDMDEPLOYMENT[8]Essential components of MDM to consider during deployment phase are:
a. PolicyA well defined policy provides management direction and support for IT and information
security and is the foundation for solid framework implementation.
b. Risk ManagementPeriodic assessment of risk should be done. For high risk cases, additional controls maybe implemented to reduce risk to an acceptable level. Similarly for low or non-existent
risks, minimal controls may suffice.
c. Configuration ManagementThis involves automatic configuration of device settings like password policy, email, Wi-Fi, VPN. This aids in elimination of user errors and minimizes vulnerabilities caused by
misconfiguration. This also includes configuration lockdown as per user's role basedpermissions to enforce corporate IT mobility policies.
d. Software DistributionThis includes over-the-air updates/patches for OSs, applications, synchronization, fixes
etc. Backup and restore operations become vital in situations of device crash and
replacement in case of any intentional/unintentional wipe-out. When aligned withcorporate mobile policies, it is ensured that only trusted mobile applications are
distributed. Together with Configuration management, software distribution enables
white-listing/black-listing of applications on mobile devices. For maximum efficiency, itis recommended to test the mobile applications separately to check for theirtrustworthiness before distributing them over-the-air via MDM.
e. Procurement issuesIt is important to coordinate with the HR and Legal teams to define certain terms and
conditions in policy and employee agreements. Liability for all parties must be clearly
defined in these agreements. This should include private usage of corporate services,expense compensations, employee privacy policy, shared responsibilities for device andcontent security, misuse, secure wipe of device including personal data in case of device
lost/theft etc.
f . Device policy compliance and enforcementThis is involved in device supply, control and tracking. Asset based inventory assessmentare critical prerequisites for policy enforcement to comply with corporate/regulatorymandates around policies, jail-broken/rooted device detection, encryption, privacy based
separation of corporate content vs. personal content etc. It is also concerned about thealerts and notifications for asset reporting about devices, users and apps. Overall, it
provides an effective governing control over mobile end point devices which can beeasily tested against ISMS standards such as ISO 27001 making it easier for audit
activities also.
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
17/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 17 of 22
g. Enterprise Activation / De-ActivationProper implementation of this functionality to connect mobile devices to enterprise
network reduces the administrative burden of provisioning and re-provisioning at IT-department. Details exchanged with the server typically include OS, Device Identifier,
IMEI number etc. After activation, some configuration settings might be changed such asenable encryption, password settings, application restrictions etc.
h. Enterprise Asset DispositionThis involves removal of physical devices by de-commission; releasing to BYOD owner incase of device exchange, upgrade or permanent de-commissioning. Follow-up procedures
include notifying inventory management, generating user receipt and accepting useracknowledgement etc. If decommissioning is permanent, secure wipe of corporate data
must be done and it should be handed over to employee along with his private data
untouched.
i. User Activity LoggingLogging must be done carefully in accordance of various privacy laws, rules and
regulations of the country in which company operates its business. Professional legal
counsel must be approached before defining the policies governing the user activitylogging.
j . Security SettingsThese can be categorized to user security and data security. Data security consists ofwiping corporate data/personal data in case of device lost/theft. They also extend to role
based user permissions enforced via MDM solutions. User security consists ofencryption, authentication on enterprise portal login; lock code and selective wipe in caseremote wipe is issued. Selective wipe leaves personal data as it is and only erases
corporate data residing in mobile device. It also covers certificate based authentication.
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
18/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 18 of 22
8.CHALLENGES DURING MDM IMPLEMENTATION[6]a. Hidden costs and corporate governance issuesEnterprises typically see the MDM implementation as a measure to save costs and
manage mobile endpoints effectively in this process. Often MDM is seen as a
complementary practice exercise in tandem with BYOD policy. But the reality is that ifyour BYOD business policy is not properly defined or effectively enforced, having a MDM
solution will be patchy at its best and grow cost prohibitive at its worst.
Also, mobile OSs are natively run in sandboxed environment and hence unlessrooted/jail-broken will pose great difficulty to enforce corporate policies. But as mobileOS system themselves evolve over time, many MDM like features will be provided
natively by them.
Corporate governance becomes complex as mobile endpoints are added in assetinventory which may or may not be owned by the enterprise. If your mobile device policyor BYOD policy is not properly defined, MDM may report false positives or large no of
false negatives if not properly implemented. This will lower down employee morale and
cause confusion and mayhem at workplace. Cost escalation might be the direct
consequence of bad implementation on MDM solution.
b. Employee unawareness about information security while usingmobile endpoints
Employees may freely share their devices with their co-workers, family members orfriends, which can increase the chances of accidental data breaches of corporate
information. Identity theft may result in extreme cases and if some unwanted orintentional damage is caused by that, the blame squarely rests on employee and he might
have to suffer the consequences such as job dismissal in case of fraud done by "his
(enemy) friend". Using social engineering, competitors can fool the employee intorevealing the details by handling over his mobile device for "few minutes" gathering
valuable information for corporate espionage.
To counteract these threats and associated risk, information security awareness
programs and trainings must be conducted on mandatory attendance basis to equip
employees to counter such attacks.
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
19/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 19 of 22
9.PICKING THE RIGHT MDM VENDOR[4]Observing closely, security features such as remote wipe, encryption, enforce password
requirement are pretty standard and are provided by almost all the vendors. So, look atthe other areas where you could address your business needs better.
Key factors to consider while shopping for MDM solution:
Deployments: Assess how efficiently the MDM agent can be deployed on a newdevice. Deploying new phones isn't a one-time job; it's never-ending.
White-list and blacklist filters: You'll have apps that every employee must installsome that are banned and some apps that you insist are updated to at least a
certain version.
Custom Appstore: Is there a feature offered by MDM vendor for installing custom,unapproved apps and setting up a company app store experience?
Application Security: Does the MDM vendor offer built-in support for maliciousapplication scanning?
Browser security: Filtered Mobile Web browsing can lower the risk of attack on adevice. Is the MDM provider implementing this level of security?
Encryption levels: Do you have to encrypt the entire device, or the MDM providerlets you encrypt company specific or selected files and folders?
Data wiping: Is there is a support for Selective wipe which erases only corporatedata in case a remote wipe is issued?
Auto-provisioning of devices: Is there any option for Automatic deviceprovisioning?
Architecture: Examine the vendor's approach to MDM solution such as sandbox,virtualization or integrated approach. This is important in understanding the
vendor's technology and your future road map planning.
Location capabilities and network access restrictions: Do you want to letemployees use their device's camera for personal use but not at the office? Look
whether the MDM solution supports such policies. How robust are the policies?
Inventory management: Is it easy to search, custom filter and modify individualmobile endpoints for hundreds of managed mobile devices? What are the filtering
capabilities provided?
Reports: Is there built-in reporting for new devices provisioned, apps out ofcompliance and devices that haven't checked in for a day or a week?
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
20/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 20 of 22
10.MDM VENDORS a. Popular MDM Vendor List
MobileIron AirWatch Zenprise Good Technology FiberLink BoxTone
b. Salient Features of some of the leading MDM vendors [ 1 1 ] MobileIron:
Healthy mix of partnership relations with distribution channels and OEMs such asAT&T, Vodafone, Apple, Google, Microsoft, RIM, Cisco HP and IBM
Demonstrates life cycle management, including usage monitoring, cost control,application deployment and version control.
Offers strong support for corporate and personal devices. Strong reporting and dashboard capabilities. Supports text messaging archiving for devices connected to corporate email
AirWatch:
Has a strong security focus, with enterprise integration services that encrypttraffic between enterprise's servers and its cloud system.
Offers Web-based as well as agent-based enrolment. Strong capability to profile, with detailed and easy-to-use policy settings. Has strong administrative interface which is easy to use and manage. Easily scalable and can support large numbers of users across multiple areas.
Zenprise:
Zenprise Mobile DLP provides innovative secure container solutions to operatelocal mobile devices, as well as to be accessed in the cloud.
Application-blacklisting technique works across Apple iOS and Google Androiddevices.
Offers its own secure Web gateway and can also integrate with Blue Coat Systemsand Palo Alto Networks.
Good Technology:
Large installed base in regulated sectors, such as financial services, government,defense, public sector, healthcare and professional services.
Good Technology has the strongest implementation of containerization, Have strong security capabilities, including FIPS 140-2 crypto libraries, end-to-
end 192-bit encryption, multiple-factor authentication and multiple certifications.
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
21/22
Mobile Device Management
Confidential Network Intelligence (India) Pvt. Ltd. Page 21 of 22
11. HOW WE CAN HELP YOUR ORGANIZATION?a. Strong support of Solutions TeamNII has been working in close association with leading MDM solution products. Our
solution team is well trained and qualified to handle any support related queries you may
have.
Currently we have actively associated our MDM partnership with MobileIron. Our teamconsists of certified MobileIron experts who understand each and every module of the
solution and have extensive hands on experience.
b. Security Awareness TrainingsWe conduct numerous security trainings for our clients and help them to understand the
risks faced by carrying corporate data on their mobile devices. We put forward theprecautions and industry best practices they need to follow for securing the sensitive
information.
c. Social Engineering ExercisesWe also conduct live sessions on social engineering exercises which demonstrate by
practical examples how even a reasonably well informed person about security can be
easily tipped off by cleverly crafted social engineering attacks. Having knowledge of thesekind of attacks makes sure your corporate data is secure in hands of your employees.
7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.
22/22
Mobile Device Management
12.REFERENCES 1. http://en.wikipedia.org/wiki/Mobile_device_management2. http://en.wikipedia.org/wiki/Bring_your_own_device3. http://www.secureworks.com/resources/whitepapers-shortcut/745684. http://www.informationweek.com/global-cio/interviews/byod-why-mobile-
device-management-isnt-e/240142450
5.
http://www.intel.in/content/dam/www/public/us/en/documents/best-practices/enabling-employee-owned-smart-phones-in-the-enterprise.pdf
6. http://software.intel.com/sites/billboard/sites/default/files/Maintaining_Info_Security_Allowing_Personal_Hand_Held_Devices_Enterprise.pdf
7. https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Guidance_v1.pdf
8. https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Device_Management_Key_Components.pdf
9. http://www.wavelink.com/whitepapers/avalanche-delivery-whitepaper.pdf10.http://i.dell.com/sites/content/business/solutions/whitepapers/en/Documents/
unlocking-power-mobile-device-management.pdf
11.https://dell.symantec.com/system/files/Magic_Quadrant_for_Mobile_Device_Management_Software.pdf
12.http://searchsecurity.techtarget.com/news/2240148521/BYOD-security-policy-not-MDM-at-heart-of-smartphone-security
13.http://boxtone.com/white-paper-lp/enterprise-iphone-ipad-ciso-security-wp-web.aspx
14.http://info.desktone.com/whitepaper-byod-implications-for-it-virtual-desktops.html