MDM or EMM?
A fully featured Mobile Device Management suite actually encompasses a lot more than just device management, although that remains the starting point for an end-to-end solution. The other layers that need addressing are the applications running on the devices, the network connection to the enterprise and the data that's accessed, shared or generated. The term that captures this expanded functionality is Enterprise Mobility Management (EMM), and many MDM vendors are busily extending their products in this direction.
Here's a quick tour of the functionality expected at each layer.
At the very minimum, an MDM suite must require users to set numeric or alphanumeric passwords for accessing their mobile devices, and renew them at some designated frequency. Encryption of corporate data must also be enforceable, along with remote locking and wiping of lost or stolen devices. Other basic device-level MDM functionality includes auditing (of device features, status and usage), location tracking, hardware management (disabling a device's camera or Bluetooth connectivity where necessary, for example) and Active Directory synchronisation (for integrating mobile device policies with existing IT management infrastructure). It goes without saying that the leading mobile platforms — iOS and Android on smartphones and tablets, Mac OS X and Windows on notebooks — must be supported.
Advanced device-level functionality includes support for additional platforms (Windows 8 and Windows Phone 8 being uppermost in many minds right now), the ability to separate personal and corporate profiles, and the ability to set context-aware policies that block access to certain capabilities (the device's camera, for example), at certain times or in certain places.
Control over the apps that employees run on their mobile devices is obviously essential: a rogue program downloaded from a mobile OS's native app store could easily compromise a corporate network, for example. So MDM suites should provide IT managers with an inventory of the apps running on users' mobile devices and ideally accommodate a customised enterprise app store where approved apps can be made available securely to particular users or groups. Another approach is to implement a blacklist of apps that are deemed insecure or damaging in some way to employee productivity. A more advanced — and increasingly important — feature is app-specific security via containerisation (also known as 'app-wrapping'), whereby important apps like corporate email get individual secure connections to the enterprise network.
A fully featured MDM/EMM suite needs to monitor device usage so that, should a potentially rogue app get downloaded (perhaps it's not yet on the blacklist, for example), it can control access to the corporate network. Obviously, unknown, unauthorised or jailbroken devices should not be allowed onto the network. Also, the suite's network security functionality should ideally integrate with any existing network security infrastructure.
Document repositories and collaboration tools such as Microsoft's SharePoint are widely used in larger businesses, but it's not a trivial matter to make them secure in a highly mobile enterprise — and BYOD only exacerbates the problem. Content management in MDM/EMM suites needs to interface and synchronise with leading products like SharePoint, while ensuring that sensitive documents do not escape from the enterprise. If the MDM/EMM suite you're considering lacks this functionality, specialist products such as Colligo Briefcase are available to fill the gap.