In the age of Bring Your Own Device (BYOD), many organizations are facing the dilemma of somehow securely integrating and managing personal mobile devices within the enterprise. The field of Enterprise Mobility Management (EMM) is filled with acronyms like MDM, MAM, MCM, DLP and more, which can be confusing to business leaders who have to delicately balance the fine line between protecting their enterprise and ensuring that any security policies on the device do not impinge on the end user experience.
Broadly, EMM suites offer organizations the following functions:
- Provisioning: The configuration and deployment of mobile devices and apps for enterprise use.
- Auditing, tracking & reporting: Mobile devices can be audited to check for compliance with enterprise security policies. Location, carrier usage, app usage and even individual file usage can all be tracked if required for compliance and accounting purposes. EMM can be used as part of your asset tracking tool and can provide reporting on all of the above.
- Enterprise data protection: EMM suites can encrypt and protect data on the device while in transit across the network. Data loss protection (DLP) policies can be applied to both email and content management suites. In the event of device loss or theft, the enterprise data or the entire device itself can be remotely wiped.
- Support: IT departments can remotely monitor and troubleshoot devices through analytics and by invoking remote actions.
EMM suites perform these services via the following core technical categories. Each organization will use varying degrees of each category depending on their individual requirements.
Mobile Device Management (MDM): When most people think of EMM, MDM is what they are referring to. MDM is the configuration and management of the entire mobile device. Once provisioned via MDM, an organization can locate, track, monitor and remotely wipe an entire device if required. In the early days of EMM, draconian MDM policies caused friction between IT departments trying to secure these new mobile devices, and the users who (rightly) considered these devices as personal and engaging, and resented the intrusive nature of said polices. These days, IT departments are getting smarter about device privacy and how much they really need to monitor while still securing the device properly. Even with the rise of MAM (see next section), MDM still has a very important role to play in managing corporate-owned devices and kiosks, or even BYOD in organizations where security is paramount.
Mobile Application Management (MAM): As BYOD becomes more popular, so does MAM as an alternative to (or used in conjunction with) MDM. Where MDM manages the entire device, MAM secures and manages at the app level. IT departments can deploy a single app to be managed (such as a managed email client), or even create a secure container on the device which manages a range of EMM apps. In BYOD, only the individually managed enterprise apps or secure container are monitored by IT, ensuring that personal use remains private to the user. In the event that the employee leaves the organization (or the employee loses the device), only the enterprise apps and data will be wiped, leaving the rest of the device as is. These enterprise apps and secure container can be protected with individual PINs, passwords, or even two-factor authentication for access.
Enterprise apps managed by MAM, such as secure email clients, protect both your infrastructure and endpoints by guaranteeing authentication only to known devices and users. Other features such as DLP (preventing copy and paste), and attachment scanning can also be applied. Secure mobile Web browsers can also be implemented, providing access to intranets, enforcing end-use policies, and monitoring browsing activity.
Any enterprise apps developed in-house can be wrapped in the suite’s SDK, which gives the IT department the same app management and security capabilities across both internally developed and EMM vendor apps.
Mobile Identity: EMM suites can help ensure that only trusted devices and users gain access to enterprise applications. Identity capabilities may utilize a combination of the following technologies: user and device certificates, app code signing, authentication, and single sign-on. More recently, EMM suites have been using a range of contextual information such as location, time and usage patterns to help inform access decisions.
Mobile Content Management (MCM): One of the major headaches for IT departments has always been how to securely provide employees with access to enterprise folders and files, anywhere they go. MCM solves this by providing a secure container on the mobile device that acts as an employee’s file drive on the go. Staff can access their required files from anywhere, and IT departments can deploy, revoke and monitor access down to the individual file level. DLP settings can be invoked denying local download of the file outside of the secure container. MCM can also be used for compliance, as HR departments can check which staff have opened which documents.
Most MCM solutions can connect to a range of both back-end content repositories as well as cloud-based ones.
Knowing what EMM can do for you is really only the first step. With the plethora of EMM suites offered, and each EMM vendor claiming that their suite is the best solution, it’s easy to get lost quickly in a sea of products. Poorly informed decisions and a lack of planning will always result in a badly implemented EMM solution that might not even be right for you.
The first step in any planned EMM implementation is to work out what your requirements are. Most organizations tend to have some idea of what these will be, but lack the deep EMM knowledge to flesh these out. Sirius can help by conducting onsite or remote EMM workshops to help organizations elucidate all of their requirements around MDM, MAM, BYOD, MCM and other EMM features.
Once these requirements are documented, Sirius can help in numerous ways. The first is to lock down the various EMM policies for the organization with input from all stakeholders (including end-users). While these policies are fluid and should evolve over time as an organization’s EMM tooling and experience become more mature, it’s important to have a clear set of security policies communicated to staff before the EMM rollout, leaving no room for ambiguity or resentment. A long-term strategy is also advised for the ongoing management of devices and the addition of new features down the road.
Now that your requirements and policies are documented, only then should an EMM vendor be chosen. Some vendors specialize in locked-down, kiosk-only modes, while others develop products with the end-user experience always at the forefront of their planning. Other vendors are preferred for their ease of integration with existing back-end services, while others again focus on a particular security feature or enterprise app. Sirius can help you wade through the endless list of suites (and the pushy vendor sales teams), to help you choose the best EMM suite based on your organization’s individual needs and requirements.
Of course, once a vendor is chosen, Sirius has the experts on hand to either fully implement the EMM suite for you, or assist your team with the rollout.
In conclusion, a successful EMM implementation requires:
- Product knowledge and experience
- Proper planning and execution
- Long-term strategy
Contact us to learn more about EMM and how we can help you get started.