BYOD MDM MAM MEM and EMM: FTW

IT Acronyms have a tendency to pop up like mushrooms on a suburban lawn after a 3-day rain storm. Even seasoned pros occasionally find themselves stumped by one or two that have slipped past their radar. After learning quite a while back that BYOD didn’t stand for “Bring Your Own Date,” I felt relatively confident that I knew most all of the acronyms associated with mobile computing and mobile security. It was only during the past week that I was disabused of this false sense of confidence.I was discussing BYOD and the challenges of securing both user-owned devices and the corporate network with the IT director for an organization I work for. Recalling the “Cyber Threat Intel” course by Cybrary’s Dean Pompilio, I brought up the topic of a mobile device provisioning server and how that could address the problem. He said that his department was indeed investigating such a solution and mentioned a particular product offering that was new to me. This set in motion an investigation into the topic of MDM which sent me down the acronym rabbit hole. It’s a fascinating topic and it also presented me with the opportunity to not only learn more about the subject, but also create a post title almost exclusively constructed from acronyms. A true win-win situation!

The BYOD challenge and more acronyms

The promise of BYOD bundles a host of security challenges. Implementing a BYOD has advantages for both employees and employers. Employees get a seamless mobile computing environment between work and personal use and employers are spared the additional expense of outfitting staff with work-issued devices. However, with this convenience and cost savings come security risks with some being considerable. In fact, some have just said ‘no’ to BYOD. Instead, biting the bullet and incurring the expense of purchasing enterprise-issued mobile devices. Fortunately, an alternative has emerged to mitigate much of the risk presented by the burgeoning BYOD culture.First, let’s get some acronym definitions out of the way. My apologies, if unlike me, you’re already familiar with these. At the top of the heap is EMM (Enterprise Mobility Management). This is the umbrella category for MDM (mobility device management), MAM (mobile application management), and MEM (mobile email management). For the sake of brevity, we’ll just focus on MDM, but MAM and MEM are closely coupled with MDM.

Keeping employees and devices out of trouble

At its core, MDM provides a centralized management point for mobile devices. This encompasses not only smartphones and tablets, but also extends to laptops which, when you think about it, are computing devices often in transit. The goal of MDM is to not only secure mobile devices, but just importantly, secure the corporate network and the data that traverses it. It’s also instructive to examine MDM within the broader context of Risk Management. If you’ve taken any of the Cybrary courses on this topic, then you know that a series of security policies govern every aspect of Risk Management. MDM solutions provide the means for instituting and enforcing these policies with respect of mobile devices. In effect, it keeps employees and their devices honest and out of trouble while on the go.MDM solutions come in two basic flavors: cloud-based as SaaS (you know this acronym, right?) and on-premises in the form of a self-hosted server. Self-hosted varieties may be either virtualized solutions or in the form of a much more expensive hardware platform. The basic architecture of most MDM solutions is the good old client-server model. The server handles the management piece and a client-side app is installed on mobile devices to handle communications with the server and implement local configuration settings and updates at the behest of the MDM server.The first step in the MDM process is known as “enrollment.” Not an acronym, but a nice bit of terminology that aptly describes the process of registering and provisioning mobile devices. The client-side apps can either be purchased and downloaded directly from mobile app stores such as Google Play and the App Store for Android and Apple iOS respectively or installed from an enterprise server. Provisioning begins with configuring mobile OS settings restricting what the device can actually do. The mobile browser is typically disabled and replaced with a more secure one from the MDM provider. Communication between the MDM server and mobile devices is via OTA (over-the-air programming); typically via binary SMS. Devices can be configured individually or as a group (fleet). Using this technique, remote updating of the mobile OS and software is achieved. Devices can also be remotely locked or wiped in the event of loss or theft. This is crucial for preventing the exfiltration of corporate data.

Solutions with a lot in common

From the MDM solutions I researched, most all support a similar set of features. This isn’t too surprising owing to the open set of standards governing the technology. A key feature of all systems is full disk encryption of mobile devices. Another fun term is “containerized encryption" to describe this feature. Where product offerings differ (and some distinguish themselves) is with the user experience of the admin console on MDM server. Some products provide a geofencing feature that generates alerts and enforces policy actions should a device cross preset boundaries.There are many other features comprising MDM products and this is where MEM and MAM come into play. Very tight control can be exercised over the apps on an employee’s mobile device ranging from while-listing/black-listing to full removal of prohibited apps. It’s worth exploring these features in-depth if you’re considering an MDM solution for your organization or a client.Licensing arrangements for MDM products vary between per device or organization-wide. Per-user licenses are also available from some vendors where all of a user’s devices are covered by a single license. The solution that makes the best economic sense will primarily depend on an organization’s size. Most client-side apps are relatively inexpensive with some as low as $2 per month. But the math begins to looks promising for vendors when spread across tens of thousands of clients they are able to sign up.The tide of the BYOD movement can longer be held back. Employees are going to use their own devices to conduct work regardless if a formal policy exists or not. Employers have been enormous beneficiaries of the always connected workforce. If employees want to check and respond to work emails while vacationing in the Bahamas, well, let them have at it. Just be sure to go the extra distance to ensure what happens in the Bahamas stays there and keeps its sticky Margarita fingers off your confidential corporate data.