Best practices for managing the security of corporate-owned smartphones and tablets

Many businesses are still coping with the challenges of an evolving MDM landscape. Here's some advice from analysts and industry executives on how to manage corporate-owned smartphones and tablets.
Written by Natalie Gagliordi, Contributor
Image: iStock

Despite its relative youth, mobility in the enterprise has experienced a complex evolution. In the early days, mobile devices in the workplace were exclusively business-oriented, with IT teams initiating strong device lockdown to ensure the protection of corporate data.

But as consumerization took hold of business and enterprise software, IT admins began to loosen their grip on mobile devices and allowed employees to use personal smartphones and tablets to access corporate applications. The bring-your-own-device (BYOD) trend eventually paved the way for more hybrid approaches to mobile device management (MDM) -- ones that would blend together aspects of corporate control and employee privilege.

However, many businesses are still navigating through the challenges of an evolving MDM landscape. Here's some advice from analysts and industry executives on how to go about managing corporate-owned smartphones and tablets:

Streamline MDM adoption with self-service & out-of-the-box options

Many major OS providers now offer options for IT to configure and set up corporate-owned devices in bulk, explained Sarah Hampton, a product manager for VMware AirWatch. A bulk approach means that, instead of manually configuring email, apps, and profiles on each device individually, admins can configure devices en masse.

There are several programs to help achieve this, including Apple's Device Enrollment Program (DEP) for iOS and Mac OS X and Out of Box Experience (OOBE) for Windows 10 Desktop and Mobile. With Apple's DEP, for instance, a new device setup is fully automated right out of the box: users just power on the device and join a Wi-Fi network to get the ball rolling. The device will then automatically enroll in the MDM service and deploy all of the necessary apps, settings, services, and profiles.

"This is as close to management magic as you can get," said Tad Johnson, manager of product marketing and campaigns for JAMF Software. Johnson also noted how many organizations are using DEP for a "zero touch" deployment model, where IT never even touches the device.

Embrace Corporate Owned, Personally Enabled (COPE)

In many ways, COPE is considered a more manageable alternative to BYOD. It allows companies to maintain control over a device while also giving employees the freedom to use the device for personal tasks. COPE devices typically maintain a segmented or containerized environment, where personal apps and data can be separated from the business apps and data.

"Most employees aren't going to want to carry around two devices, so if an organization does deploy corporate-owned devices, IT should allow employees to also use the device for personal use and have a privacy framework to protect the end user," said AirWatch's Sarah Hampton.

Hampton added that it's also wise for IT teams to take time in explaining to employees that they are only interested in managing corporate content, not personal content such as photos, texts, and emails. It may seem like a no-brainer, but employee privacy can often get left out of the conversation.

Make COPE personalized to your business needs

Once your business decides on the COPE approach, the next step is to outline the goals behind corporate control and the best tools to achieve a desired outcome. For most companies, the main motivator is security.

Phil Hochmuth, analyst and program director on IDC's Enterprise Mobility team, said the general approach is to focus on securing data and applications, as opposed to locking down devices, using identity as the key platform.

"We're seeing deployments of certificate-based device management, using PKI (private key infrastructure) on corporate-owned devices," Hochmuth said. "This allows for single sign-on to mobile apps data access, but revocation of access via management of the certificate."

Hochmuth said businesses are also deploying "wrapped" versions of mobile apps, where data and access are more tightly controlled and can be revoked via mobile application management and mobile content management features. Obviously, there is no single solution that can satisfy every need surrounding data security, so it's best to stay up-to-date on new options that come to market.

Strive for a unified approach

By some accounts, a fully unified device management tool -- one that manages both PCs and mobile devices -- does not actually exist. But there are steps a company can take to consolidate their device management strategy and tools.

According to research firm Forrester, enterprise IT teams are becoming more aware of the user experience and the efficiency that comes from things like unified threat detection and a single enterprise app store. Forrester predicts an eventual convergence of mobile and PC management tools within the next five years.

Always update to the latest operating systems

Major OS providers update their software several times a year to include new security and enablement features designed specifically for the enterprise. In a corporate-owned environment, an updated OS will help IT teams ensure that employees are equipped with the most recent security features to protect corporate data. Many EMM service providers offer same-day support for new OS versions once they are released.

Editorial standards