How to successfully implement mobile device management

Thanks to increased operating system capabilities and advances in mobile device management platforms, organizations can implement a bring your own device (BYOD) policy to meet user productivity and privacy needs without compromising data security, but it requires significant planning.

This becomes even more difficult when organizations introduce unified endpoint management (UEM) and mobile device management (MDM) strategies for bring your own device (BYOD). However, it is possible to strike a balance between organizational needs and user needs.

To successfully deploy a BYOD program, IT administrators must properly design the mobile device management (MDM) policies that apply to devices and ensure that employees clearly understand the implications of these policies. For example, some organizations offer subsidies or other methods to reimburse the cost of device use, while others only allow access to applications without paying users.

[[320773]]

Set expectations and alleviate end-user concerns

Regardless of the BYOD model an organization adopts, expectations must be set upfront for users so they can follow the agreed-upon system. This creates friction when users submit expense bills and discover they are not entitled to reimbursement because they already knew they would be reimbursed.

Once end users know ahead of time what they are signing up for, they are usually happy to comply with the policy. If administrators say they can't see certain features and undermine trust, the policy is doomed to fail. To successfully implement MDM for BYOD, organizations should alleviate common user concerns. For example, can MDM track browser history? No, but MDM can be used to deploy over-the-top services that can redirect, control, and monitor SIM-based and over Wi-Fi traffic. Organizations that do this should make users aware of this and consider a separate policy for BYOD users.

Can MDM read text messages? Not on iOS devices, as Apple has not yet provided MDM capabilities, even on supervised devices. It is possible on some versions of the Android platform, but IT teams rarely deploy native controls to read text messages. Text messages can be routed to the organization email archive. Most messaging apps deploy end-to-end encryption on messages, which prevents IT from accessing the content.

Strictly regulated organizations may deploy third-party products to log business information, but this should be clearly communicated to users and personal communications will often be left in unscreened areas. Organizations that require such communications to be logged typically do not allow regulated users to bring their own devices (BYOD) because it is difficult to strike a balance between user privacy and compliance.

Can MDM track location? Yes, it can even prevent that if the user disables location services after enrolling in MDM. Most MDM platforms, including VMware AirWatch with Workspace One, IBM MaaS360, MobileIron, and others, have privacy settings to prevent location tracking for BYOD devices. IT should always be clear if tracking is enabled for all groups, specific users, or not enabled.

Can an MDM platform see what apps are installed on a user's phone? Typically, an MDM platform collects an app inventory once a user enrolls a device. Using privacy settings, IT can choose not to see this information, or to only see line-of-business apps deployed from an internal app store. Limiting visibility is a good idea because personal apps can reveal undesirable information that IT should avoid whenever possible.

What happens to BYOD MDM if an employee leaves the company? When an employee leaves a company, their device is typically cleared from MDM or organizational mobility management. All of the organization's applications and data are cleared from their device, while personal information remains intact. A good BYOD policy will strictly separate business information from personal information to protect the organization, but it also benefits users when it comes to informal use. Retiring a device is often called a selective wipe; during this process, IT should also remove all credentials necessary for the user to access corporate applications. MDM platforms such as VMware AirWatch and MobileIron from Workspace One provide protection against factory resets for devices marked as personally owned, so they are never accidentally wiped.

Balancing security and privacy

Organizations can use different approaches to implement BYOD policies. Organizations should always prevent business information from leaking to personal cloud storage or anywhere that IT can't reach. Some mobile device management (MDM) platforms, such as MobileIron, provide packaging services for applications, while others, such as VMware Workspace One, deploy separate workspaces. Android Enterprise provides a work profile that IT can manage, while the rest of the device remains available for personal use.

Even if an organization allows personal devices to access its resources, it should establish certain baselines to maintain security. Organizations should support minimum OS versions to ensure devices receive the latest patches and address known vulnerabilities. For Android, it's worth limiting the types of phones to those from reputable manufacturers; Google provides a list of Android Enterprise Recommended devices. To make the list, manufacturers must adhere to a service-level agreement for releasing patches and ensure that devices have access to multiple OS upgrades.

The latest versions of iOS and Android improve user privacy while allowing organizations to be certain that all devices are securely located. Apple introduced a user enrollment feature on iOS 13 that preserves personal details such as device serial number and IMEI, but allows IT departments to deploy and manage applications within a dedicated device partition. Android 10 (Q) can enforce minimum strength unlock codes, block installation of apps from unknown sources, and determine whether users can sync personal calendars with work calendars.