Mobile Device Management
“Hey Buddy, can you make it so my phone can get work email please?” “Oh sure, no problem.” “Thanks. Also I’ll need my laptop, tablet, smartwatch, A/R goggles, car and refrigerator all set up as well please. Oh and I’ll need it done before I leave on a work trip in the next 20 minutes. Ciao!” When it comes to managing a small number of users on workstations, a single person can usually handle it without a significant amount of assistance, provided the amount of maintenance required isn’t substantial. However when you take that same number of users and bring in work-owned mobile devices and personal devices that may occasionally have work-related tasks performed on them, that number can balloon up very rapidly. While Mobile Device Management (MDM) as a concept plays a vital rule in a number of different security aspects, this will be a deep dive into ‘What is it and how does it do what it does?’
What is Mobile Device Management?
Mobile Device Management first really entered the public consciousness with the ‘Bring Your Own Device’ movement. For a fair amount of time before this, the only devices considered trusted, powerful and effective enough to be used in most organizations environments were Blackberry devices. Blackberry had already set up a number of connections between their Blackberry Enterprise Server and many other industry standard applications that could then be accessed on the Blackberry devices. With the mass availability of iOS and Android devices however, these feature sets- email, web browsing, contact sharing and more- became the rule for users as opposed to the exception.
Once users started wanting to use a single more versatile device instead of multiple separate devices, it became a problem that needed a hardware neutral solution. Most MDM solutions are now able to handle a wide variety of device types and vendors, making it an extremely useful tool with a single pane of glass for troubleshooting and monitoring.
How does it work?
For devices to be able to communicate with the MDM solution, they first need to be enrolled. This usually takes the form of downloading an app, but the method it is delivered can vary depending on what the user is comfortable with. Whether it is a text message, email or a direct download however, the principle is the same- an agent will be pre-configured for the type of operating system that the device runs and be installed onto the device. Certain vendors do require additional tasks to be performed after the app has been installed and enrolled with the MDM service, such as downloading apps from a private company app store, set up geofencing for particular access methods, and push out any required apps such as endpoint protection-type software.
After the agent has checked in fully, it will go over the current security setup of the device. For example, if the organization has decided that all devices must use a passcode for security, the user may be unable to continue to use the device until they have set up a passcode. Are there any apps that currently have root access? Should we send out an alert or automatically remove them? Is the device itself rooted? Should it be completely prohibited from connecting then? Are there apps currently installed that are prohibited from the organization? Again, should this information generate an alert or be automatically uninstalled? MDM servers have an enormous amount of potential settings and options that can be configured for an organization’s specific needs, and before any large enrollments take place, they should be gone over with a fine tooth comb- it is always easier to take the time in the planning stages than have to backtrack later.
With that being said however, most MDM solutions do allow for near real-time modifications of settings for a large number of devices. The amount of time it takes for tweaks to be deployed varies greatly on the current power state of the devices along with their connection status, but since these modifications take place the next time the devices check in- it could happen within 30 minutes after the change occurs.
Why should we use it?
The most obvious answer is for security and management of mobile devices. If a device is lost or stolen, it can be remotely wiped to prevent loss of data. This can also be significantly useful if the device has already become compromised and is actively being used as a connection into the organization’s network. If the device must be recovered at all cost, GPS tracking can allow for locating the device quickly. Many MDM solutions also allow for Remote Administration- enabling technical support to hop into the mobile device just as they would on a full size system and see what a potential malicious user is doing and record if required. Additionally, since MDM is also able to manage laptops and more as well, this may be able to reduce the use of possibly not as secure methods of Remote Administration.
However we are also able to use MDM for inventory tracking, see what devices have not checked in for a while, and view at a glance what devices may be approaching the end of support from their manufacturer- whether on the hardware or operating system sides. This is critical as our infrastructures become more and more based around mobile devices- being able to depend on their functionality is crucial to organization operations.
MDM solutions are one of those things that most people won’t ever really think about- they have a phone, they want to use it for whatever they want, and that’s it. Being able to do that securely is an imperative that many organizations will be racing forward on, and making sure that a phone left on a table in a coffee shop doesn’t turn into a full blown breach. This is also something that we need to make sure that our users understand completely, as suddenly not being able to install whatever they want may be met with significant pushback. MDM is only one aspect of making sure that our users and their devices are used securely however, and InfoSec Institute has a huge amount of articles, Certification courses and more to meet your security and training needs. Please be sure to check them out!
- https://www.ibm.com/downloads/cas/VENWY8OG 11 Best Practices for mobile device management (MDM)
- https://www.blackberry.com/us/en/solutions/mdm-mobile-device-management Mobile Device Management from Blackberry
- https://en.wikipedia.org/wiki/BlackBerry_Enterprise_Server BlackBerry Enterprise Server
- https://www.continuum.net/resources/mspedia/everything-to-know-about-mobile-device-management-mdm What is Mobile Device Management(MDM)?