For many enterprises, mobile device management (MDM) is an afterthought -- a band-aid to mend the operational and...
security gaps created by workforce mobility. Loosely coupled systems can address near-term challenges, but long-term success will require some degree of integration between MDM and the rest of your IT infrastructure and processes. Here, we consider several "touch points" where MDM must (eventually) dovetail with past and future IT investments.
On edge: Joining the corporate network
Integration with your corporate network -- usually at the perimeter -- is required for nearly all mobility initiatives. Most MDM servers are deployed in the network's demilitarized zone (DMZ). Some MDMs can use a proxy server that sits in the DMZ, interacting with a main server inside the trusted network, providing an added layer of defense.
In either case, you must permit selected network protocols and ports between the MDM server/proxy and mobile devices, directly or through your wireless carrier's gateway. In most cases, you will also need to allow narrow communication between the MDM and other trusted servers (e.g., email, directory). Typically, this integration requires firewall rule changes, but it can also have an impact on your threat management policies -- for example, if your firewall scans for viruses, will it do so before/after the MDM server?
Over the air: WLAN infrastructure
Many mobile devices spend their lives interacting with the corporate network from afar, but some devices -- particularly those with Wi-Fi interfaces -- can also be local. In this case, your MDM may need to interface with your wireless LAN infrastructure.
Your MDM may supply its device inventory database to your WLAN switch or wireless IPS for access control or intrusion detection. In return, your WLAN may supply your MDM with valuable insight into connection status and historical activity. Today, these systems tend to interact through file import/export and alerts, but converged devices with multiple wireless interfaces will lead to tighter integration.
Who goes there? Authentication and identity
MDMs can have their own user databases, but most enterprises want to reuse existing authentication services and identity stores (e.g., Active Directory, LDAP, eDirectory). This creates two integration points: authentication and policy storage.
When a user tries to activate a new device or access services (e.g., password reset), your MDM must validate that user's credentials. For example, your MDM might use Active Directory to log a mobile user into your Windows domain, retrieving policy attributes that dictate what that user can and cannot do. You may also want to use that directory to store MDM-generated attributes -- for example, binding mobile device IDs to users.
All together now: Desktop management
If your company already uses a desktop management system like LANDesk or Microsoft System Center, it could make sense for you to tap those products (directly or using plug-in extensions) to configure and maintain your mobile devices too.
But a single device management system may not be a good fit for your mobile workforce. Perhaps you need to support more diverse mobile devices, or perhaps you have already invested in a pure-play MDM that focuses on mobile needs. In those situations, you many still find opportunities to reuse policies, practices and staff to simplify maintenance and promote consistency, for both administrators and end users.
Layer defenses: Mobile security solutions
Many MDM solutions incorporate a few security features -- for example, some present their own login screen to authenticate device access and enforce policies regarding password length, complexity, update and recovery. However, MDMs do not necessarily provide all the security measures you may need to deploy on a given mobile device.
For example, a growing number of businesses want to encrypt data stored on mobile devices. Although some MDMs do this, many do not. Furthermore, you may want to use third-party data encryption that delivers cross-platform support for smartphones, PDAs and laptops. Even so, there may be opportunities for integration, like using your MDM to install the encryption program and verify correct configuration and operation. Similar possibilities exist for other third-party security solutions (e.g., VPN, antivirus).
Keep your eye on the ball: Event monitoring
Most MDMs collect a wealth of information about mobile devices and their activities for purposes of reporting, alerting and auditing. Of course, you probably already have numerous event sources throughout your corporate network -- and perhaps even a central event management system to analyze them.
MDMs can fit into that "big picture" by supplying real-time alerts (e.g., traps, email) and historical logs describing mobile devices and their activities. This integration point may eventually leverage standards -- for example, the Open Mobile Alliance (OMA) Device Management (DM) standard specifies a Generic Alert to convey client- or server-initiated management alerts.
Means to an end: Mobile applications
A well-oiled MDM can help you meet your business goals, but ultimately what really matters is whether mobile users can reach business applications. For example, your users may need to reach your Microsoft Exchange or Communicator server; and your MDM can play an important role in making that application accessible to mobile users.
For starters, your MDM may deploy packages, settings and policies required for mobile devices to access those servers. Some MDMs also play an active role by serving as a gateway to connect mobile users to back-office enterprise servers, applications and data. Others can be paired with mobile application offerings from the same vendor to provide value-added features (e.g., push email delivery).
Over time, mobile devices will become an integral part of enterprise networks. Although close-knit integration of management services, policies and IT practices will not be achieved overnight, it will be necessary as more workers replace desktops with laptops and then leave their laptops behind in favor of handheld devices. The sooner you start thinking about potential MDM integration points, the faster you will accomplish unification and the less you may be forced to rework along the way.
About the author:
Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding the use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.