Nowadays and even before the pandemic, mobile devices have become an integral part of the business world as every employee owns a smartphone and companies depend mainly on the use of laptops, smartphones, and tablets to handle day-to-day business tasks ranging from critical to mundane. The pandemic only accelerated this digital transformation towards more Cloud environments. But what about security risks and constraints?
In terms of security, the first perimeter of defence has shifted from the traditional network layer (on-premises organization network) to the identity layer. The latter consists of the user identity (credentials) with a multi-factor authentication method, and the device identity or the device used to access corporate resources. Thus, it is of utmost importance to secure these two components as much as possible.
Therefore, the mobile environment needs to be controlled even outside the traditional layer. Otherwise, businesses could face security threats that could result in security or financial complications.
But how to secure mobile devices? Along these lines, we would like to present what is the traditional security mechanism by stressing employee satisfaction during both professional and personal usage.
Classical Mobile Device Management
Mobile Device Management, also known as MDM, is a concept that is deployed to secure and manage the corporate device. As there is no longer a network boundary, this mechanism allows IT to control and secure corporate data or its storage by ensuring a minimum security level must be met on each device.
In order to give you some more tangible examples, IT can ensure, thanks to one MDM rule, that the anti-virus or/and the device network firewall is enabled and up to date. The same goes for OS updates. Also, this brings several opportunities for application provisioning without the need for any user interaction thanks to automation.
Now, in this area of MDM, two profiles exist:
- COD: Corporate Owned Devices – devices being provided by the company and under the full responsibility of the company
- BYOD: Bring Your Own Device – personal devices owned by the user, which are used for company operations (email, calendar, meetings).
In this article, we are not going to focus on the COD or BYOD model but rather show why it could be interesting to adopt a mixed scenario under certain constraints. The objectives are to ensure a good level of security across devices that are not under the direct control of IT, and thus ensuring corporate data is secured and protected at any moment without interfering in any way in the personal area of your employees.
Mobile Device Management drawbacks
In order to understand the cost of device management, here is a simple scenario that most of us are being part of every day:
Miss Gemma uses her smartphone every day for both personal and professional worlds. She likes surfing on certain apps such as Twitter, LinkedIn, Amazon, Zara as well as on travelling blogs outside working hours. But she feels very annoyed when she must enter a security password to access all these because the IT department decided that a long and strong password must be enforced on the device. In addition, she does not understand why the IT service could delete some of her vacation or family albums or why it could limit some device functionality such as access to some travelling website blogs or other applications such as CandyCrush.
This unbounded control affecting indirectly the personal user workflow for a reason of a reason, she feels rather under barricades than free. In the end, work should only be a part of our lives.
Now everyone understand the security need for the business, but is it necessary to restrict freedom and sometimes even productivity? This raises some barriers, which makes it uncomfortable privately speaking. And that is where Mobile Application Management comes into pieces.
Mobile Application Management model
Mobile Application Management, also known as MAM, focuses only on the application level. It segregates personal data from corporate data by setting and managing control parameters only on corporate applications which remains dedicated to only professional uses. Instead of enforcing policies at the device level, which are already very complex in certain environments, it ensures that whenever any corporate data is accessed, the applications used are compliant with the company security level.
In other words, there is a shift in the level of management. While MDM manages the entire device, MAM only manages the corporate applications.
For instance, in a classic MDM, a long complex passwords should be required for unlocking devices even when used personally. While in the MAM model, the same long complex password should be required but only when opening corporate applications and hence leaving the rest of the device under the manageability of its users (short password if they want).
Currently, only Microsoft Endpoint Manager, formerly known as Intune, supports the MAM model. Hence, all Microsoft applications developed for the Windows, IOS and Android platforms are MAM compatible. Some third-party apps are also compatible.
Now and as said earlier, these are valid and safe for scenarios for users or employees who only use their devices to access their emails, calendar, work using Office applications like Words, PowerPoint and participate in some Teams meetings.
Mobile Applications Management’s benefits
Despite being limited to some simple usage scenarios, the MAM has several benefits that can fit both users but also IT:
- User Privacy: Personal data and corporate data are segregated into the devices. Corporate data is protected at any time while respecting the user’s privacy (location of the device not required).
- Overcome the multi-operating system devices: All devices may not run on the same operating system platform and therefore, operating and maintaining the same control on every device can be very complex. In the MAM, only applications are being managed no matter the underlying platform.
- Easiness of deployment: It is very easy to set up at a large scale by simply defining the application policies such as allowed actions (data flows), security behaviours when launching apps (password, fingerprint, faceID).
- No impact in case of user offboarding to security nor privacy: In the case of the user leaving an organization, IT can easily wipe any corporate data stored in the corporate applications. As a result, this solves the problem of users complaining about their photos or any other data loss while leaving a company, as it is the case with MDM enrolled phones. Plus, no IT intervention on the device is required. This goes in the same way for stolen or lost phones, the security of corporate data is ensured.
- Increased Security: As mobile applications are managed instead of the entire devices, IT can set policies to control further any user actions, any data flow from and to other non-managed applications. For example, exporting something from Outlook to the phone messages, mail or notes application can be blocked. However, this could be allowed between Word, PowerPoint, OneNote for instance. So basically, you are making sure that any corporate data remain corporate or managed applications. Additionally, security measures can be very restrictive on the time period a phone has been connected to the Internet: if the device has not been connected to the internet in less than 72 hours, delete the entire content of corporate applications and require a new user sign-in (username, password & MFA) at next application launch. As soon as the device will be connected to the internet and the user would like to open Outlook, for instance, he will need to log in and only then, the data will start being loaded into the device. This is hardly achieved in the MDM model.
MAM or MDM? Final word
To conclude, MDM and MAM are both good ways to manage devices in a corporate environment.
However, we at Excellium Services, think that device management scenarios should be thought and designed considering security, privacy as well as user satisfaction.
As for normal employee usage, such as emailing, calendars and teams meeting, we think that the MAM model is the key. This will not only ensure a good security level for devices but also ensure that employee satisfaction is preserved.
Everyone should have the possibility to decide for themselves what is the desired security level without being constrained in the personal area by their company. Afterwards, even though we are all very committed to our professional occupation, work is only part of our daily lives and several other more important things exist including family.
Do you also agree that employees’ privacy should be taken into account when it comes to security?Let us know!