BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Many organizations have reached the point where they need to move beyond a basic device enforcement policy to an enterprise mobility management process. Organizations must determine when to incorporate EMM software and when to implement an EMM strategy. They also need to look at the best way to do it.
Products such as Microsoft Exchange Server and Google G Suite are useful for policy enforcement when implementing a device management system. Policy enforcement gives companies the tools to access email and other personal information management services -- calendar, contacts and notes -- and to provide limited policy control on devices for tasks like wiping a lost or stolen device.
Policy enforcement can only go so far in managing mobile devices, though. IT teams need to use EMM software to gain greater control over mobility management.
Organizations need to adopt an EMM strategy when the following questions arise:
- How do we manage company devices?
- Can IT control how apps are installed and controlled on a device?
- How can we control content pushed out to a device?
- How can IT handle all of the users' endpoint devices -- laptops, phones, tablets and more -- from one console?
- How do we manage identity across many operating systems and web interfaces?
IT admins require visibility into personal and company devices
Immediate access to corporate email and content through a mobile device is beneficial to any business. But as the benefits increase, so does the risk.
Employees can lose devices, send emails to unknown sources and easily share sensitive business data from their mobile devices. It is the responsibility of IT and the CISO to create an environment where employees can leverage leading-edge technology without creating an insecure environment.
Mobile device management (MDM) is part of an EMM strategy, and a lot of EMM software providers are incorporating MDM capabilities into their products. The goal of an MDM system is to manage a corporate network's devices. The leading MDM providers include support for Apple's iOS and Google's Android mobile operating system in their products. For many companies, MDM is the first step toward an EMM strategy.
Many MDM features are migrating to unified endpoint management (UEM) services. The goal of UEM is to streamline PC and mobile device support management. Under UEM, PCs, laptops, tablets and smartphones are all regarded as endpoints -- points where data is presented to the user. Indeed, the scope for different endpoint devices will continue to increase as new digital devices, such as smartwatches and internet of things devices, gain usage in larger organizations.
Managing mobile content and apps
MDM is effective for managing an entire device, but what if companies only want to maintain a single app on a device or the content in a specific app? This type of scenario is important when apps are pushed out to personal devices or to devices that belong to third-party partners. If you are building tools that partners will use, then you need to consider how to use both mobile application management (MAM) and mobile content management (MCM) in your EMM strategy.
MAM provides control over custom enterprise apps and selects which third-party apps users can install on a device, whether the device is company-owned or BYOD. This strategy works by encapsulating an app in a siloed space on the device. Encapsulation offers protection from malicious software. Many of the leading EMM software providers support MAM functions.
While MAM is a relatively inexpensive tool for content control, encapsulation restricts an app from communicating with other apps on a device. MCM is a newer, more precise process that manages the content in the app.
Device user authentication
Single sign-on (SSO) is a set of established technologies that enable Windows users to authenticate through websites quickly. It is a VPN that was made into a mobile feature. The demand for SSO services has extended well beyond Windows-based authentication and now includes authentication across social networks and new operating systems -- iOS and Android, for example.
Identity as a service (IDaaS) has evolved to address the shortcomings of SSO for the modern world, where many devices and many operating systems are now standard. The core of IDaaS is built around open standards such as OAuth 2.0, OpenID Connect and other current authentication criteria. IDaaS aims for easier and more secure authentication to access device content and complements traditional Security Assertion Markup Language authentication.
If the first challenge for mobile devices is user authentication, the second challenge is managing user profiles. A profile is common on Windows, macOS and Linux systems. At its core, a profile sets the correct email, settings and applications access for each account that logs onto the device.
Both Apple and Google have immature models to address profile management. For Apple, the ability to control profiles is only currently available in education settings where students can share an iPad. For the Android platform, Google has Android Enterprise, which builds on the profile management now in Android's core OS. Both technologies, however, are still new, and organizations should treat them with caution.
EMM software provides IT with the tools to manage users, control apps and manage content usage. It also manages mobile device features, like audio and location services, and device management features for IT, like fingerprint sensors and camera blocking.
The number of devices that IT needs to manage is growing exponentially. Millennial workers typically own three or more devices. The pressure weighs heavily on IT to manage an increasing number of devices with a faster rollover for each device -- many companies support a two-year replacement cadence for mobile devices versus four years for PCs. If departments feel the pressure to increase the rollover of devices while still ensuring effective management, then they need to incorporate MDM and UEM technologies into their EMM strategy.