Fitting MDM products into your existing infrastructure

MDM products must monitor various devices, enforce corporate policies and integrate with existing hardware, software and IT management workflows.

As IT managers consider purchasing MDM technology, the choice should depend on workforce needs. Ultimately, these technologies must be deployed at the appropriate place within the corporate network to work with other systems that play critical roles in mobility.

Furthermore, IT processes must be adapted to administer mobile device management (MDM) and integrate with existing workflows. And for a successful integration, MDM should consider corporate policies.

Fitting MDM into your network

Part of the integration question hinges on how you choose to integrate MDM technologies with your environment. MDM software can be deployed in-house, on private or public cloud servers, or on multi-tenant servers operated by a Software as a Service (SaaS) provider. The method of deployment directly affects how MDM technology integrates into a corporate network.

MDM products deployed in-house are usually installed on an IT-managed server inside a so-called demilitarized zone (DMZ). This approach lets the enterprise firewall protect the MDM server from Internet-borne attacks. It also enables IT to narrowly define external access to specified services such as the self-help portals for registering devices or changing passwords.

Furthermore, DMZ deployment makes it easy for the MDM server to have tightly controlled and monitored access to necessary enterprise infrastructure, including directory services, certificate services, email services and more.

You can protect these inside-the-firewall services from Internet-based threats by giving the MDM server privileged access through carefully crafted firewall rules.

But when MDM products are deployed outside the corporate network, either hosted on cloud servers or operated by SaaS providers, you need to take a different approach to network integration.

  • For cloud-hosted servers, an authenticated, encrypted virtual private network (VPN) tunnel can give the externally hosted MDM product a virtual presence on the enterprise DMZ.
  • For SaaS-based MDM products, integration details vary for each product, but most boil down to deploying an integration server inside the corporate network (see Figure 1).
SaaS-based MAM software integrates with a corporate network

Figure 1: This is how SaaS-based MAM software integrates with a corporate network.

For example, provider-supplied MDM integration software may connect via HTTPS to a SaaS-based MDM. With this approach, no enterprise firewall changes are required to permit inbound tunnels or MDM sessions, and IT has control over the integration server's security and integrity.

Integrating MDM with IT infrastructure

Figure 1 also illustrates several infrastructure services that MDM products may tap to manage mobile devices more effectively or to enable mobile worker access to enterprise applications and data.

In small deployments, infrastructure integration is often omitted for rapid activation and operational simplicity. However, as a deployment grows in user breadth and functional depth, infrastructure integration becomes increasingly important for scalability, efficiency and visibility.

For example, administrators can manually add individual usernames, passwords and permitted devices to an MDM product’s own database. For scalability, many MDM technologies can also add users and devices via batch file import.

But employee changes can easily create configuration challenges. Administrators must still make individual MDM configuration updates when users change positions, leave the company, or lose or purchase devices. Over time, this account maintenance grows expensive and error-prone.

But integration with an enterprise directory service can reduce IT costs while creating a more seamless mobile user experience. For example, an MDM product that has been integrated with your enterprise Active Directory (AD) service may simply check newly enrolled users against existing domain usernames and stored credentials.

With MDM-AD integration, users can enroll mobile devices by providing their usual login and password information. The MDM software can also make provisioning decisions based on AD attributes such as group affiliation.

If a user moves to a new organization, MDM software can auto-detect AD group changes, triggering device re-provisioning. If the user is deactivated in AD, this may automatically trigger MDM deactivation of all previously provisioned devices belonging to that user.

Directory service is just one common infrastructure service integration. In addition, enterprises should consider directory integration when selecting MDM products, looking for standard protocols such as Lightweight Directory Access Protocol and Remote Authentication Dial-In User Service that enable off-the-shelf integration.

When evaluating integration capabilities, scrutinize how a given MDM product uses directory accounts and attributes. An MDM technology that performs one-time username and password import from Active Directory offers far less integration than one that tracks AD updates and applies them to policies.

Other IT infrastructure services that can often be integrated with MDM products include the following.

  • Certificate authority. Many MDM offerings can issue digital certificates to newly enrolled devices or provision VPN/wireless LAN (WLAN) settings that use trusted certificates. But enterprises with their own public-key infrastructure should look for a system that lets a separate certificate authority sign and maintain trusted certificates.
  • Network management. Some MDM products deliver device alerts or attributes to third-party network management systems such as IBM Tivoli or HP OpenView. This integration can help IT gain a more holistic view of network-connected devices. MDM combined with network management can, for example, enable correlation of mobile alerts with equipment or application server root-cause failures.
  • Trouble ticketing. A small but growing number of MDM products have been integrated with third-party trouble-ticketing products such as Remedy. This integration can make it easier to diagnose and resolve problems.
  • Reporting. Many MDM products can generate on-demand or scheduled canned and custom reports. In addition, report data can be exported for use by third-party business intelligence systems such as Crystal Reports.
  • Homogeneous MDM. Some heterogeneous MDM products provide "cut through" integration with platform-specific offerings. This kind of integration helps IT manage all mobile devices through a single view.

In addition to off-the-shelf integration, enterprise MDM products have started to offer proprietary application programming interfaces (APIs) that customers can use to share data and events with any third-party or custom business system.

For example, some WLAN and network access control products use APIs to interact with MDM and provision newly connected mobile devices under bring-your-own-device programs.

Dig Deeper on EMM tools | Enterprise mobility management technology