Mobile Device Management (MDM) solutions are a popular way for IT organizations to secure the smart phones and tablets that their employees bring to work and want to use to access business applications and data. However the traditional MDM solution may not survive given the growing concern over user privacy as well as the coarse grained and sometimes inadequate controls they have over the device. At the same time, mobile device operating systems are evolving to provide much better security to enable better privacy controls for the user and to ensure that data stored on the device is properly protected.
Employees don’t like MDM solutions
One of the biggest concerns an employee has with the use of MDM to manage their mobile devices is that the solution has nearly complete control over their device and they either have to accept it in order to gain access to company resources and data, or simply not use their mobile device for business. The problem is that the mobile device must enroll with the MDM solution and accept the policies that IT has defined, which enables them to control critical aspects of the mobile device but also grants the MDM solution with the necessary privileges to issue remote wipe commands to the device (really the only action that Exchange Active Sync can perform on “lost or stolen” iOS devices) or to request a full list of all applications installed on the device.
Now, to be fair many of the MDM solutions provide the administrator with more granular controls to selectively wipe or to simply remove security profiles from the device, but the fact remains that the MDM APIs of these devices provide the capabilities to the administrator for actions that the user in most cases does not want to grant to IT staff.
Example 1: Consider an executive who used his smart phone while on a family vacation where he took several pictures of his family and periodically checked his business email. One day his phone is sitting on the charger and one of his kids picks up the phone and wanting to play games or look at the pictures tries to unlock the phone and continues to try several incorrect pass codes until a message pops up saying that the phone is wiping itself. The device self wipe was caused by the policy that most IT enforce to setup the automatic lock the device and require the user to enter a passcode or PIN to unlock the device. Since we tend to lose devices they also configured the device to self wipe if someone is trying to break in by typing in a bad passcode too many times, just like the child did trying to get to the games on the phone. Next, expect a call from the vacationing executive…
Example 2: One of the other concerns that users have with MDM solutions is based on the lack of privacy on their personal phone once the MDM solution has been given basic MDM privileges. Once the device has been registered with the MDM solution, the MDM can request a full list of applications installed on the device. The list of applications installed on the device provides IT with a lot more information about the user than is required since the list of apps may show personal hobbies, religious beliefs, sexual preference or marital status or issues based on the kind of applications installed. Way too much information for IT, which frankly they really don’t need. IT has been conditioned over the years based on their management practices on laptops to want to control which applications are installed and to prevent users from installing anything that is not explicitly approved. But on mobile devices this control is not necessary as long as the devices are not jailbroken or rooted, which turns off the built in application isolation technology built into the mobile operating systems. The MDM really only needs to check to make sure the device is not jailbroken or rooted, it doesn’t need the full inventory of applications installed, or maybe only those business application that it has installed itself.
There is a better way to protect business information and applications without giving full control of the device over to the business IT staff, we just need to use a Container for the business apps and data. Full MDM capability is no longer necessary now that IT can manage the container technology provided natively by Samsung KNOX and Apple iOS. These containers are built into the Mobile OS to provide the necessary controls and data protection to ensure that business applications and data are secured in order to meet business requirements.
Containerization to protect business data
There are several solutions that provide a container or logical grouping of business applications as a way to isolate business information from the personal apps and data a user may have on his phone. For example, I remember using a Palm Treo in the mid 2000s where IT installed Good so that we could access the company’s Exchange server as well as to protect the email messages and attachments on the device. However, today the newer devices and mobile operating systems from both Apple and Samsung have native containerization technology built into the platform so that you don’t need another product, just need to configure the container for the business via MDM commands.
Apple provides what I would call a virtualized container environment (http://www.apple.com/iphone/business/it/management.html) which can be turned on via their management controls so that Managed Accounts and Managed Apps can be configured to easily share data between themselves while protecting that data from any of the other personal applications the user has installed on his device. When the management system removes the managed accounts and managed apps, it removes all business data including all email messaged, attachments, files and data that these business apps may have downloaded or cached on the device. All of this is provided without changing the user’s experience on the device.
Samsung has built a secured version of Android built on SE Android in order to both secure the device, applications and data, as well as to provide a KNOX Workspace (https://www.samsungknox.com/en/solutions/knox) as a secured container for business to clearly separate personal from work. The KNOX Workspace provides an environment where IT can control the applications and accounts that are used within the container in order to protect the business accounts, attachments and data. This also provides IT with controls over the Workspace so that management of the device is not required in order to provide the level of assurance required to enable business usage on the user’s personal device.
In both cases, these capabilities are enabled and managed by a modern EMM (Enterprise Mobility Management) solutions such as Centrify User Suite (http://www.centrify.com/products/centrify-user-suite.asp, which bundles Centrify for Mobile with every edition of User Suite) or Samsung KNOX EMM (https://www.samsungknox.com/en/solutions/knox-emm) which uses the device vendor provided MDM APIs to manage the mobile device configuration in order to create the KNOX Workspace or to configure the Managed Apps and Managed Accounts. Typically the same set of controls for the device can be applied to the Workspace or Managed Apps and Accounts as would normally be applied to the device, just that their scope is limited. And as much as we’d like to not allow the business to manage our personal devices, the EMM solution must still ensure that the device can be trusted, not jail broken or rooted, and that the container is properly configured and protected on the device. For iOS this means controlling a few settings that govern data access for managed accounts and managed apps. For Samsung Knox this means ensuring the OS and container can be trusted through trusted boot and device integrity monitoring.
The user will only need to register with their EMM solution in order to have the Business Apps and Accounts configured within the container so that IT can provide them with access to the business without needing to dictate the security policies over the complete device.
Next time I will explain how to simplify access to the business through Enterprise SSO services that we can provide inside these container environments to ensure that all cloud service access is performed with the business identity of the user to protect business data.