Every IT manager worth his or her salt would really like to get hold of users’ physical devices to lock down security and manage privileges, protocols and permissions in the perpetual quest for control. This is not always possible.
The situation has given rise to industry terminology such as mobile device management (MDM) and bring your own device (BYOD).
But where do we start? What do you get in an MDM box when you unwrap it and what kind of roadmap should firms be following to implement effective MDM in the face of rising BYOD?
While MDM is a fairly self-explanatory term, let us try and restate what it should really mean.
Simply put, MDM is that area of administrative IT department control where devices are deployed, secured, integrated (and architected) into the network and subsequently monitored and managed (and possibly deleted).
By “devices” we mean laptops, tablets and smartphones, of course. But our use of the term also now includes the Internet of Things, including basic “wearables”, from the consumer-level Fitbit, and perhaps heart-rate monitors, to more industrial sensor-based pieces of equipment.
At the peak of MDM Nirvana (a place oft dreamed of but rarely reached) an administrator is capable of intercommunicating with all devices on all platforms in the network.
The machine-to-machine communication channels are open through all local country service providers so all devices are accessible. Updates and other management can be performed over the air without requiring physical contact with the devices.
These can be managed to a degree compliant with the IT department’s vision for an optimised network based on particular application use cases and connections to specific online services. This is MDM perfection – but perfect MDM is tough to calculate and rarely possible.
Facts and fantasy
What happens back on planet Earth is slightly different. Device usage is subject to an overabundance of determining factors; while some are logical and predictable, others are intangible and unexpected.
According to surveys, the younger workers classed as Generation Y have exhibited some strange behaviour. Generation Y executives would apparently be happy to take a lower salary if allowed to work using a device of their own choosing.
It is at this point that the prudent business should surely start to question whether these are really the kinds of employees they want to attract in the first place.
The challenge here comes down to usability and productivity. It is straightforward enough to think about an MDM policy that stops users starting up specified applications in defined locations, or one that prohibits them from downloading games on their devices, but at what cost to employees’ freedom, work satisfaction and ultimately loyalty?
There is little point in managing any data or device if we don’t know what is inside it, so inventory controls are a first element of any decent MDM package.
From there we can look at hardware and software component management and also include network access control and help-desk features into the MDM mix.
As we build up this idea of the total MDM architecture, we need to ask just how far and wide should an MDM solution go? The answer is quite far, because MDM can include software application provisioning and management to make apps behave with custom-designed characteristics.
Applications may be installed under terms of limited access so that they stop functioning based on GPS location information, time of day or some other pre-selected factor.
Developers will not necessarily have engineered controls and gateways to enable this kind of broader control, so MDM has a direct role to play here.
Part of the challenge is that MDM has to be comprehensive and capacious: you either have it or you don’t.
MDM control software can be delivered in a virtualised form as a cloud-based service as opposed to an on-premise solution. But every MDM solution that a firm settles on must have a comprehensive range of features.
It is difficult (and expensive) to deploy multiple systems, each of which solves just a piece or two or three of the total mobility management puzzle.
“Businesses need to implement a structure that can identify classes of users and device types"
“BYOD has significantly changed approaches to managing and securing end-user computing devices in enterprises,” says Graham Long, vice president of the enterprise business team at Samsung UK.
“Many businesses have struggled to adapt to the changes, while others have simply not been prepared.
“Businesses need to start taking a whole new approach to mobility. They need to implement a structure that can identify classes of users and device types and create policies for treating the different groups as they attempt to connect to the network.”
In terms of implementing MDM, Samsung points to its Enterprise Software Development Kit (E-SDK), which developers can use to take advantage of the additional security features available in Security Enhanced Android. The tool can also be used to develop bespoke enterprise applications for devices.
According to a recent Samsung MDM white paper, the E-SDK enables developers to use features that enhance the security, accessibility and usage cost of mobile devices. E-SDK offers more than 890 APIs and 410 policies for what the firm calls “increased device control”, whereas standard Android provides 30-plus policies and APIs.
To MDM and beyond
Gartner analysts Ken Dulaney and Terrence Cosgrove wrote a piece in May 2014 entitled Managing PCs, Smartphones and Tablets and the Future Ahead. In it they suggest that the collision of PC and mobile device management approaches over the next seven years will create a product category called unified endpoint management (presumably UEM in acronym land).
“Everything about PC and mobile device management is changing, including necessary skills and IT processes. Enterprises are supporting two radically different management architectures – one for PCs and another for smartphones. PCs are managed though system images, while smartphones and their cousins, tablets, are managed via a more complex mechanism that adapts to their sandboxed architectures,” they write.
“Yet, in many cases, IT attempts to make smartphones act like PCs through strategies such as containerisation, which is a pseudo system image. IT should understand the differences between the management styles of the two types of devices and recognise that sandboxed architectures represent the future. Thus, the management framework approach going forward will result in a product category called unified endpoint management.”
Gartner erudite musings notwithstanding, today we still have MDM. Perhaps a practical example in 2014 will help us compare the theory with the reality.
Steven Ward is group IT manager at Ferguson Group, an Aberdeenshire-based offshore container, accommodation and workspace module specialist. Ward explains that security and the provision of a standard build for mobile devices are the two factors driving his organisation’s MDM adoption.
The firm has offices all over the world and many employees on the move, so IT needs to know security will not be compromised.
“We need to be able to wipe and lock devices remotely as soon as we receive that call,” says Ward.
“The BYOD trend means some employees feel the IT department is there to provide tech support for their own phone, which is not the case. We’re there to provide a standard device with a standard set of applications which are compliant and secure.
“We don’t need MDM to take up half of our job. Instead, MDM provides our small department with the capabilities to keep around 100 devices spread around the world secure remotely. We’re working with Spiceworks’ MDM solution as a cost-effective way of doing this.”
Ward says that in his experience it is not the younger generation demanding BYOD and driving MDM adoption.
“Employees recognise that our policy is to provide them with the devices they actually need. If they have a requirement, we will try and cater for it. The issue is ensuring employees are running apps approved for business purposes. MDM becomes important in this respect, as we can monitor applications and keep devices secure,” he says.
Picking up speed
Whether we look forward to Gartner’s unified endpoint management theory or stay closer to home with MDM as it is today, a combination of current methodologies may be the most prudent way forward.
We need only to look at global trends to confirm that mobile data is exploding. Vodafone reminds us that based on analysis from 2012, global mobile data traffic grew by 70 per cent.
Extrapolated from these figures we find a compound annual growth rate in data flows of 66 per cent predicted over the next five years.
Not only is the amount of data traffic soaring, it is also moving faster than ever. Average worldwide mobile connection speeds are forecast to rise sevenfold by 2017.
Vodafone’s answer is its eponymously named Device Manager, a technology that includes AppConnect. This provides a software development kit designed to help create wrappers for iOS and Android and put apps in secure containers.
So could wrappers and containers be the answer to MDM and BYOD headaches? Could the notion of a multiplicity of user endpoints be the most sensible approach? Or could plain old CYOD (choose your own device) be the best way to manage BYOD?
CYOD represents a dividing line between BYOD randomness on the one hand and the formalised top-down provision of company devices on the other. CYOD schemes allow employees to select a mobile device from a range of company-approved products.
The problem (well, one of the additional problems) here is that MDM has to extend after the usage of a corporate device to make sure it is given appropriate end-of-life treatment.
Global estimates suggest that the average phone is used for just 18 months. The issues associated with MDM and BYOD come from so many angles, it becomes hard to know which direction we need to start applying policy in.
“Businesses must take intelligent responsibility for the growing threats to their communications environment,” says Vincent Geake, head of secure mobility and new ventures at BAE Systems Detica, Vodafone’s global security partner.
“By doing so, they will fulfill their duty of care to shareholders, employees and customers, ensuring that they keep their valuable information safe and remain compliant with external expectations, wherever their workforce is operating.”
When worlds collide
We will continue to manage our enterprise desktop client experiences through controls that will be distinct from the MDM that operates in the dedicated mobile space, but this will ultimately change as we reach a point where the two worlds collide.
This inevitable convergence and unification of device controls will shape our usage of all technology over the next five years.
MDM is at an all time high and it is about to become more important. Embrace it and we can embrace the future. ®