When enterprise mobility centered around mobile device management, mobile admins focused on protecting data and securing devices in the case of loss or theft, but mobile admins today have so much more to tackle.
Previously, once IT pros secured their organizations' mobile devices, they could trust them with more sensitive data, such as access to business applications and file sharing. As mobile endpoints became capable of more tasks and added features, however, mobile device management (MDM) transitioned to enterprise mobility management (EMM), and trusting devices is more complicated.
Each MDM and EMM tool has numerous unique features and capabilities that its IT admins should know about. The following eight MobileIron features are important for EMM admins, and all MobileIron admins should learn how they can improve mobile UX and security in their organization.
Embedded mobile threat defense
Through its partnership with Zimperium, MobileIron features embedded mobile threat defense (MTD) on the endpoint app. IT can choose to install this at the point of enrollment, even if its organization doesn't have the proper MTD licensing yet.
When organizations decide to install MTD, one of the largest hurdles is deployment and activation. Adding the endpoint app to an organization's policy and pushing it to the endpoints is relatively standard, but getting the users to open and activate the app can be a hassle. All MobileIron admins need to do to deploy and activate the native MTD is secure the proper licensing; then they can directly enforce MTD policies on their users' endpoints through the endpoint agent. This method doesn't require any user interaction or the planning and tedium of a large-scale rollout.
Users often have privacy concerns when their organization rolls out EMM onto their devices, particularly if the device is personally enabled or even BYOD. Communicating what EMM admins can and can't view, delete and edit is crucial to achieve user buy-in with EMM, and there are several privacy-focused MobileIron features that can help IT ensure that it maintains user privacy.
MobileIron admins can assign different policies to different device groups so each group has settings tailored to their use case or based on the sensitivity of the data they are likely to access. Admins can also opt to disable location tracking and might decide that they can only see basic device details such as the app inventory via a corporate app store. IT can disable the remote wipe command for devices marked as user-owned, even if an admin issues the command.
In most EMM platforms, a remote wipe is a straightforward command for the device to factory reset itself. MobileIron and many other EMM platforms support Active Directory (AD) integration, so IT pros can configure most EMM tools to rely on users' AD credentials to register devices. In this scenario, a user's device may be wiped, but his or her AD account may not be disabled yet so the user can immediately re-enroll their device using AD credentials. When the EMM admins and AD admins aren't perfectly in sync, there could be a window during which an employee who poses a security risk to a company could grant themselves access to resources via AD even after their device has been wiped by an EMM command.
MobileIron Core, the administrative console for MobileIron EMM, has a unique device wipe feature called "Cancel Wipe." With MobileIron Core, a device wipe is a persistent command, so any user on a wiped device that re-enrolls will have the MobileIron command automatically wipe their device again.
MobileIron EMM includes Tunnel, a multi-OS per-app VPN that allows users to access corporate resources securely without the need to launch a new VPN session each time. The VPN can establish a connection over cellular and Wi-Fi networks, and Tunnel also ensures that only business data flows through the VPN. Segregation of business traffic allows secure communication and enables the user to perform personal tasks without that traffic coming through the corporate firewall.
Help@Work for screen sharing
One of the most crucial MobileIron features for troubleshooting technical issues is the MobileIron Help@Work tool. Support teams can use the tool to help users who can't describe technical issues accurately. Once IT configures and deploys Help@Work onto a device, users can share their screen with admins.
For iOS devices, this takes the form of screen recording with the support console set as the destination. While iOS does not support full remote control of the device, Android admins can remotely take control of Android devices. Android users can allow IT to take over their device to reconfigure it or rectify their issue directly without the user taking any additional actions.
MobileIron SIEM integration
Since 2014, MobileIron has integrated with Splunk Enterprise Security SIEM, but the platform can also share information with other security information and event management (SIEM) offerings. These integrations can improve MobileIron's cohesion with overall business security across all systems.
Data segregation is particularly important when dealing with devices that access both business and personal content, and mobile devices often fall into this category with BYOD and personally-enabled smartphones and tablets. Configuring apps for containerization, however, can be a difficult process for IT.
MobileIron features an app wrapper, but IT must repeat the process of wrapping apps with each new app update. This re-wrapping often requires support from the app vendor. However, MobileIron offers a dedicated marketplace where users can download pre-wrapped mobile apps that are clearly tagged so users can see what is compatible with iOS and Android.
This feature is MobileIron's approach to mobile-centric, zero-trust authentication and security. MobileIron Access, in conjunction with the main features of the EMM platform, allows IT to provide conditional access to internal and cloud-based apps via single sign-on so users don't have to jump endless security checks to get their work done. IT can combine MobileIron Access with the native MobileIron MTD to protect users at the device, network and identity levels. Access only grants users access to resources when device posture, secure network and user identity meet requirements.