MDM for Android devices: What your business needs to know

Thanks to mobile device management (MDM), you can gain granular control over employees' Android devices to ensure those phones and tablets don't become your network's Achilles' heel.
Written by Jack Wallen, Contributing Writer
CNET/CBS Interactive

You can migrate from one smartphone to another without having to do much heavy lifting. With the Android platform, the most challenging thing you need to do is authenticate your new device against your Google account so everything will transfer.

Now imagine that one device turning into 10, 20, 100, or even 1,000. Things start to get far more complex at those numbers. How could you possibly manage 1,000 devices? Believe it or not, people do it. How? With the help of mobile device management (MDM).

What is MDM?

MDM is an industry term associated with the management of mobile devices (most often it is applied to large-scale management) and involves a third-party solution that serves as the centralized management console for the devices. With these third-party solutions you are able to handle tasks that include:

  • distributing applications;
  • locking or wiping a single device;
  • sending software updates;
  • remotely troubleshooting a device;
  • pushing out settings and content;
  • enforcing policy compliance across platforms;
  • managing device lifecycles;
  • detecting jailbroken or rooted devices;
  • encrypting sensitive data;
  • monitoring usage; and
  • containerization.

SEE: Consumerization, BYOD and MDM: What you need to know

Why you want MDM in your organization

If you're a large business or an enterprise company, you'll definitely want to look into either MDM or enterprise mobility management (EMM).

There are many reasons why your organization may want to use MDM, but the common thread that runs through each and every one is control. Many of the devices that appear on your company's wireless network hold sensitive data. Because of this, you want to ensure that every device adheres to a strict policy that will go a long way to keep that data safe.

Consider this:

  • some users don't use strong passwords;
  • some users will use their device for personal and business purposes;
  • some devices might not be registered with a service that would allow for remote lock down or wipe; and
  • some users will install social network applications or other third-party apps that could lead to a security breach.

These are just some of the issues that could very easily come back to haunt you. Thanks to MDM, you can gain very granular control over employees' devices to ensure those phones and tablets don't become your network's Achilles' heel.

Some employees may want to use their own device for work purposes (BYOD). Because those devices will be working on a different carrier network (and sometimes on insecure wireless networks), you must ensure those BYOD devices meet your company's security policy. This is where MDM really shines.

Why you may not need MDM

If you're a small business, you probably don't need MDM. If you're a medium-size business, you may want MDM, but the cost-effectiveness and complexity of the solution could overshadow its benefits depending upon the size of your business.

The biggest reason that might keep you from needing MDM is that your business doesn't require its users to access company data from their smartphones or tablets. Of, if you have a company policy that states "No accessing email or data on mobile devices," there is no need for MDM. Chances are, you don't have such a policy.

SEE: Mobile Device Policy (Tech Pro Research)

MDM solutions

There are a lot of MDM solutions. Nearly every carrier offers an MDM solution; there are third-party services such as Miradore, ManageEngine, and IBM's MaaS360; and there is Google.

That's right, Google.

Remember, we're talking about Android. With a basic Google account you could associate a number of Android devices with it and still be able to:

  • install applications;
  • lock, locate, or wipe a device; and
  • manage files from Google Drive.

This is not a complete solution -- you cannot remove apps from the web version of the Google Play Store, nor can you enforce policies -- so unless you need just the the bare minimum features, you'll be turning to either your carrier or a third party for MDM.

How MDMs typically work

You must understand that not all MDM solutions are equal. Some MDM solutions offer more features than others; some solutions cost more than others; and most solutions vary in how each task is carried out.

All MDM solutions are built around the idea of controlling what users can and cannot do and ensuring that devices are up to date based on the company policy. Some MDM solutions even offer containerization; these products are often called enterprise mobility management (EMM) solutions. When it looked like the lack of security would undo MDM for the enterprise, certain MDM companies rolled in the ability to wrap apps in containers.

Containerization allows data and/or apps to be wrapped into a secure, encrypted environment to protect sensitive data. It's not just data that are containerized -- applications can be secured with an EMM solution. For example, you can specify that an app for company email be encrypted within a secure container, whereas the personal email app remains outside of the encryption.

Note: Containerization is not offered in every MDM solution. If this is something you believe your company will need, it's best to research the providers you are considering to make sure they offer containerization. AirWatch, for example, does offer this option, whereas Miradore does not.

How IT will use MDM

Although MDM solutions vary greatly, what you can do with them offers up a bit more universality.

With each solution, the IT staff charged with monitoring MDM will have a management console to log into. From that console every registered device can be viewed and administered. If a new device is to be deployed, the administrator can register the device and then hand it over to the required staff member.

How the administrator registers devices on an MDM console will vary, depending upon the solution you choose. Some MDM services require an app to be installed on each device, whereas some solutions allow the process to be done completely over the air (OTA).

MDM considerations for Android devices

If you happen to have an army of Androids in your company (devices, not employees), there are special considerations you might want to make with regards to MDM.

Android doesn't suffer from the same level of lock-down as iOS -- users can twist and bend the platform to do pretty much anything. If you don't like how the stock firmware behaves, you can root the device and install a different ROM. And there are ROMs out there to meet nearly any proclivity. Rooted devices and devices with variant ROMs can more easily get around company mobile policies by allowing the user to install blacklisted apps.

Many MDM solutions have the ability to install agents on devices that can detect if the device has been rooted. If a rooted device is detected, the agent will notify the admin. Some MDM solutions can even be set up to automatically wipe the device should this issue arise.

Also note that certain features on some MDM solutions only work on specific Android devices. For example, with Miradore, the following features work only with Samsung devices:

  • Application blacklist
  • Application whitelist
  • Email (define POP/IMAP settings for email)
  • Kiosk Mode
  • Mail for Exchange (define Exchange settings for email)
  • Restrictions (define restrictions for the usage of certain applications)

So many possibilities

If your company distributes mobile devices to employees and you're using a single carrier, you'll most likely want to first check out the carrier's MDM solution. If that solution isn't the right fit, you might consider these solutions:


MDM is an outstanding method for controlling company device usage. When you have numerous Android devices, the last thing you want to do is allow users to bypass company policies or have to manually manage each device by hand. Check out an MDM solution, and see if one of them can help you get those Androids in line.

Also see

Editorial standards