Best Mobile Device Management (MDM) Solutions Buying Guide

The rapid proliferation of corporate- and user-owned devices in the workplace means that organizations need to beef up their support infrastructure now. Mobile device management (MDM) is the primary software solution for managing and securing your company's data and applications that are used on the many mobile endpoint devices that go in and out of your organization.

MDM platforms give you a central interface to interact with the data on your company's devices as well as your employee's personal devices, which are typically enrolled in the platform when they are hired. Enterprise mobility management (EMM) solutions are another form of endpoint management that usually refer to a larger suite of tools.

Today, EMM solutions typically include MDM, mobile application management (MAM) and mobile content management (MCM) capabilities, each of which addresses specific concerns regarding managing devices, applications and content. Other common EMM capabilities include an app store and productivity apps, a secure browser, email management, reporting and analytics. Some products even offer identity and access management (IAM), single sign-on (SSO) and threat protection.

The financial benefits of MDM and EMM tools include:

• Enhanced IT control, including remote monitoring, configuration, app deployment, etc.
• Enhanced security including policy enforcement, blacklists/whitelists, password management, etc.
• Protection against data breaches including remove lock and wipe capabilities for lost or stolen devices
• Logging and reporting capabilities for compliance purposes
• Data protection, backup and restore functionality for corporate data
• Improved productivity for end users

Most MDM vendors charge annually per device, but some offer a "per user" option, where the price is a bit more, but includes an unlimited number of devices per user. The user pricing option is ideal for organizations that are supporting BYOD programs or mixed environments.    

Several vendors have additional support/maintenance/software update fees that are separate from the device/user fees. Some also offer a perpetual device fee with an annual support/maintenance fee. Additionally, many MDM solutions are part of a bigger bundle or package that might include a separate license.  

Your first step should be to get an accurate quote and perform a cost analysis that takes into consideration not only the MDM fees, but also the management costs associated with implementing and supporting the solution. Consider what the transition will require and if the vendor is helping in any way. Determine how many people you'll need in each role and how much time you'll need them for. Then include these costs in your analysis.  

More advanced EMM platforms that feature and entire suite of endpoint management tools are more likely to be based on different tiered plans, and will likely work with your company to come up with a quote based on your exact needs.

As you research and shop for an EMM and MDM solution, it's important to know exactly what your organization's needs and use cases are for a platform. There are several features and prerequisites you should keep in mind and make sure the service has which includes: 

Supported Operating Systems and Platforms

MDM suites usually support a subset of all available operating systems (OSs) and platforms. Operating system refers to the software that the device uses and platform is the type of device, such as mobile phone, tablet computer, and laptop computer.

Major mobile devices OS options include Android, iOS (Apple) and Windows Mobile. Major computer OS options include Windows, Mac OS X, Linux and Chrome OS. Based on the devices your employees regularly use, you can decide which ones you want to allow in your network.

Security Features

While all MDM vendors will tout their security features list, there are a few essential ones to recognize and require for your own company's safety and ongoing security efforts.

• Mandatory password protection
• Jailbreak detection
• Remote wipe
• Remote lock
• Device encryption
• Data encryption
• Malware detection
• VPN configuration and management
• WiFi configuration and management

Enterprise App Integration

You don't want to commit to a tool that doesn't fit in with what you already use. Examine your MDM prospects with a discerning eye when it comes to integration with your existing enterprise applications, such as active directory/LDAP, Microsoft Exchange, web-based mail, cloud services and backup/restore.

End User Support

Unless you have the resources and the desire to provide 24/7 support for your users, you should find out if your MDM suite offers a self-service portal, help desk and multi-language support

Management and Reporting Features

Before purchasing an MDM suite, you should find out what's offered for management and reporting. Administrators will need a robust management interface with which to monitor, to patch, and to track managed devices. For reporting, you should look for device-level analytics, alerting options, and a real-time dashboard so that you can scan the number and health of your MDM efforts. Check on the type and the extent to which there is any third-party management software integration available for your suite.

The key to purchasing an effective MDM solution is to "try before you buy." Most vendors have limited device demonstration software that you can use for an evaluation period. Include your technical team who will be using the software so they can fully vet the suite and its features.

There are plenty of MDM suite choices that provide you the protection you need, give your employees the freedom they want, and have the features that matter.

There are three key changes to the world of mobility management. First, the definition of mobile devices has expanded, and now includes notebook computers, two-in-one devices and wearables. If it's not physically attached to a desk or rack, or too heavy to move, it can and should be under mobile management. From a feature and function perspective, enterprise access and containerized productivity apps are driving EMM purchase decisions, rather than augmenting them as a value add.

Second, the IT world has pushed incumbent enterprise applications to either become mobile friendly, or be replaced by newer (and oftentimes less expensive) cloud-based solutions. Under the auspice of mobile application management (MAM), nearly every type of tool either has a native app, a web browser link, or another mechanism to securely access enterprise data. As an aside, monitoring and protecting access has birthed cloud access security brokers (CASBs).

Finally, anywhere access to content has also changed. What was pioneered by Dropbox in the consumer space and Egnyte in the business world, has blossomed into the market of enterprise file sync and share (EFSS). As it relates to EMM, this is the third leg of EMM: mobile content management (MCM). As an included component of EMM suites, this is disrupting not only the incumbent document management platforms, but also SharePoint, default storage for public cloud apps (such as Salesforce) and, finally, knocking out the antiquated shared drive model.

Tracking Mobile Devices: Asset Management - The first step to managing mobile devices in the enterprise is ensuring you have an accurate inventory of devices working with your infrastructure. Inventory and asset management features can help you identify the number and types of devices on your network. Asset management features should include the ability to register devices, query for device configuration, and report on the status of devices. For example, you should be able to generate reports on the number of mobile devices registered, the type of devices present, as well as the operating systems and patch levels used. An asset inventory supports many of the other functions required for managing the security of mobile devices.

Screening Apps: White/Black Listing - System administrators can readily control applications installed on workstations and laptops by limiting administrator privileges. Achieving comparable levels of control with mobile devices is more challenging. Different platforms will offer varying features and functionality, so look for an MDM system that provides a common set of management features for all the platforms you will support. One of those common features should be the ability to limit apps used on managed mobile devices.

Whitelisting allows you to list the set of acceptable apps for mobile devices. Some mobile device management systems include app stores which allow you to host a repository of apps for your users. Mobile application management is also a separate category of software; if your mobile device management platform does not provide an app store you can get that functionality from another application.

Blacklisting allows you to limit the use of unapproved applications. This is useful when you wish to specifically identify an application that should not be on a mobile device accessing the corporate network, such as those that collect personal or corporate information unrelated to the function of the app.

Keeping Data Confidential: Encryption - One of the advantages of tablets, and even smartphones, is the ability to maintain copies of and read documents away from the office. Office productivity apps can give much of the functionality of desktop word-processors and spreadsheets creating even more incentive to download copies of corporate information to mobile devices. The obvious security drawback is that mobile devices can be lost or stolen, and therefore potentially leak confidential information.

MDM systems can allow you to define an encryption policy for data stored on mobile devices. This should include strong encryption and key management. Keep in mind that data should be encrypted during transmission ("data in motion") and while stored on the device ("data at rest"). 

Be sure to test your essential apps with device encryption. Data must be decrypted before it can be programmatically manipulated or viewed. Encrypting a device could disrupt some app functionality.

Locking Down Devices: Controlling Device Configurations - Mobile devices are feature-rich with Bluetooth communications, geo location tracking, Wi-Fi network access and other functions. These can all be useful in many situations, but for security-conscious IT professionals, these can seem more like vulnerabilities than features. MDM systems should allow for remote control over configurations, up to and include remotely wiping a lost or stolen device.

Enforcing Rules: Policy Management - A sound mobile device management strategy should include policies that describe configuration and operational requirements imposed on mobile devices. These policies can cover a broad range of device controls such as the use of encryption, the need for device passwords, or disabling Bluetooth, Wi-Fi or location services. Since many organizations will support multiple mobile device platforms, the policy enforcement mechanism should function across multiple platforms.

MDM systems can help mitigate security risks related to the use of tablets and smartphones in the enterprise. Look for support for asset management, app management, encryption and policy enforcement to help protect your information assets.

Bring your own device (BYOD) policies have been a money saver for companies that require employees to be mobile. Understanding BYOD and its impact on an existing organization and infrastructure is a critical milestone in the adoption of employee-owned devices that will allow a business to make the best use of cloud computers, smartphones, super phones and tablets.  

There are market forecasts that expect the BYOD and Enterprise Mobility market to grow at double digit rates and reach more than $180 billion within five years. Juniper estimates that there are currently 150 million BYOD devices deployed. Within two years, that number is expected to grow to 350 million and span major organizations. 

Implementing BYOD bring with it concerns that will touch long-term vendor plans, maintenance and procurement, application development and data ownership. Security concerns about BYOD often do not receive enough attention at organizations, potentially setting the stage for catastrophic exposure of sensitive data.

Here are some of the best practices when it comes to BYOD and security concerns:

• Policy review: Existing policies may need tweaking, but there should be a clear path toward applying current policies to the mobile app and device world as well.  
• Set realistic expectations: Using a mobile device privately is very different from using a mobile device within an organization. Employees using BYOD will have to accept compromise and that your organization's security is the priority. 
• Platform support: The mobile platform environment is extremely fragmented, and there is no reason to believe that this fragmentation will change anytime soon. Remember that certain devices outside Apple's iPhone/iPad may support different features, which requires your organization to maintain a supported devices list. 
• Application policy: An application policy can be based on blacklisting or whitelisting software in combination with using containers to run third-party software. There needs to be clarity regarding which software is permitted and which is not. Setting an application policy can consume a massive amount of resources, but stands at the center of your security policy. Only apps that provide auditing, reporting and centralized management should be allowed. 
• Evaluation of MDM: MDM software can solve many of your security headaches, but will require time to be evaluated properly. Think of MDM as the skeleton structure of your BYOD program, with a basic set of secure applications you do not have to worry about, including email and remote device access, as well as a structure to enforce Internet data traffic policies.  
• Mandatory PIN and encryption: Consider the mandatory use of PINs as the first security layer on a device. Similarly, all data stored on the device should be encrypted by default.  
• Ongoing education and training: All people providing and using BYOD are, by default, risk factors. Consistent education addresses unnecessary risks and provides the knowledge necessary to use BYOD responsibly. Accidental data loss remains one of the main reasons why data is put at risk. Education and training are effective ways to mitigate that risk. 

Your policy will change and evolve as you create and implement the program. Consider the support of the legal team as the usage of BYOD has legal implications. Employees with access to BYOD should agree to terms of use of BYOD.