guidelines for selecting right mobile device management (mdm) vendor for your business

7/29/2019 Guidelines for Selecting Right Mobile Device Management (MDM) Vendor for Your Business.

1/22

MOBILE DEVICE MANAGEMENT

DEPLOYMENT,RISK MITIGATION&SOLUTIONS

From


2/22

Mobile Device Management

Confidential Network Intelligence (India) Pvt. Ltd. Page 2 of 22

NOTICEThis document contains information which is the intellectual property ofNetwork Intelligence. This

document is received in confidence and its contents cannot be disclosed or copied without the prior

written consent of Network Intelligence.

Nothing in this document constitutes a guaranty, warranty, or license, expressed or implied.

Network Intelligence disclaims all liability for all such guaranties, warranties, and licenses, including

but not limited to: Fitness for a particular purpose; merchantability; non infringement of intellectual

property or other rights of any third party or of Network Intelligence; indemnity; and all others. The

reader is advised that third parties can have intellectual property rights that can be relevant to this

document and the technologies discussed herein, and is advised to seek the advice of competent

legal counsel, without obligation of Network Intelligence.

Network Intelligence retains the right to make changes to this document at any time without notice.

Network Intelligence makes no warranty for the use of this document and assumes no responsibility

for any errors that can appear in the document nor does it make a commitment to update the

information contained herein.Copyright

Copyright. Network Intelligence (India) Pvt. Ltd. All rights reserved.

NII Consulting, AuditPro, Firesec, NX27K is a registered trademark of Network Intelligence India Pvt.

Ltd.

Trademarks

Other product and corporate names may be trademarks of other companies and are used only for

explanation and to the owners' benefit, without intent to infringe.

NIICONTACT DETAILSNetwork Intelligence India Pvt. Ltd.

204 Ecospace, Old Nagardas Road, Near Andheri Subway, Andheri (E),

Mumbai 400 069, India

Tel: +91-22-2839-2628

+91-22-4005-2628

Fax: +91-22-2837-5454

Email: [email protected]


3/22



Contents

1. Introduction .................................................................................................................................... 5

2. Typical Design of MDM solution ..................................................................................................... 7

3. Understanding BYOD and MDM ..................................................................................................... 8

a. Bring Your Own Device (BYOD) policy and MDM in an enterprise ............................................. 8

b. Are BYOD and MDM same things? ............................................................................................. 8

c. If I have a BYOD policy at my company, is MDM deployment necessary? ................................. 8

d. Okay, so how do I effectively communicate mobile security policy to employees? .................. 8

4. Adopting "Personal-liable approach" for Mobile Devices ............................................................ 10

a. Benefits in adopting "Personal-liable approach" for personal mobile devices ........................ 10b. Security costs incurred for adopting personal-liable approach ................................................ 10

c. Questions to ask before opting for Personal-liable approach for MDM .................................. 11

5. Selecting an optimal MDM delivery methodology ....................................................................... 12

a. Premise-based ........................................................................................................................... 12

b. Software as a Service (SaaS) ..................................................................................................... 12

c. Managed Services ..................................................................................................................... 12

6. Designing BYOD policy before deploying MDM ............................................................................ 13

a. Do your Homework ................................................................................................................... 13b. Identify user needs ................................................................................................................... 13

c. Enacting a End-User License Agreement (EULA) corporate policy ........................................... 14

d. Addressing the privacy concerns .............................................................................................. 14

e. HR and Legal concerns .............................................................................................................. 14

f. Training Users and Helpdesk Support ....................................................................................... 14

g. Addressing Authentication issues ............................................................................................. 15

h. Defining Mobile Device Security Rules ..................................................................................... 15

7. MDM Deployment ........................................................................................................................ 16a. Policy ......................................................................................................................................... 16

b. Risk Management ..................................................................................................................... 16

c. Configuration Management ...................................................................................................... 16

d. Software Distribution ................................................................................................................ 16

e. Procurement issues ................................................................................................................... 16

f. Device policy compliance and enforcement ............................................................................. 16

g. Enterprise Activation / De-Activation ....................................................................................... 17

h. Enterprise Asset Disposition ..................................................................................................... 17i. User Activity Logging ................................................................................................................. 17


4/22



j. Security Settings ........................................................................................................................ 17

8. Challenges during MDM implementation..................................................................................... 18

a. Hidden costs and corporate governance issues ....................................................................... 18

b. Employee unawareness about information security while using mobile endpoints................ 18

9. Picking the right MDM vendor ...................................................................................................... 19

10. MDM vendors ........................................................................................................................... 20

a. Popular MDM Vendor List......................................................................................................... 20

b. Salient Features of some of the leading MDM vendors ........................................................... 20

11. How we can help your organization? ....................................................................................... 21

a. Strong support of Solutions Team ............................................................................................ 21

b. Security Awareness Trainings ................................................................................................... 21c. Social Engineering Exercises ..................................................................................................... 21

12. References ................................................................................................................................ 22


5/22



1.INTRODUCTIONThe explosive growth in the popularity of mobile devices and growth in their powerful

features has led to a sharp rise in the usage of smartphones, tablets and mobile POSdevices in the corporate world. Apart from the mobility advantage, these devices have

become more efficient to offer better business growth and increased networkingadvantage to bring better employee productivity at the workplace. As the market for

these devices continues to develop at an exponential rate, concerns about the safety ofthe sensitive corporate data present on mobile device, in transit or at rest also grow

proportionately as the tracking the data, relying on its integrity becomes increasinglychallenging. Further enforcing corporate governance, complying with local laws andtrans-border regulations also pose a serious challenge in this case. Hence a technical

method to secure, monitor, manage and supports mobile devices deployed across mobile

operators, service providers and enterprises is need of the hour which has led to the

development of Mobile Device Management(MDM).

What is Mobile Device Management (MDM)?[1]

Mobile Device Management (MDM) software secures monitors, manages and supports

mobile devices deployed across mobile operators, service providers and enterprises.

MDM functionality typically includes over-the-air distribution of applications, data andconfiguration settings for all types of mobile devices, including mobile phones,smartphones, tablets, mobile printers, mobile POS devices, etc. This applies to both

company-owned and employee-owned (BYOD) devices across the enterprise or mobiledevices owned by consumers.

By controlling and protecting the data and configuration settings for all mobile devices in

the network, MDM can reduce support costs and business risks. The intent of MDM is to

optimize the functionality and security of a mobile communications network whileminimizing cost and downtime.

What do you mean by "over-the-air"?

Over-the-air programming (OTA) capabilities are considered a main component of

mobile network operator and enterprise MDM software. These include the ability toremotely configure a single mobile device; an entire fleet of mobile devices or any IT-

defined set of mobile devices; send software and OS updates; remotely lock and wipe a

device, remote troubleshooting and so on. OTA commands are sent as a binary SMSmessage. MDM enables IT departments to manage many mobile devices used across the

enterprise.

What is Open Mobile Alliance (OMA)?

The Open Mobile Alliance (OMA) is a standards body which develops open standards forthe mobile phone industry. OMA Data Management specification is designed for

management of small mobile devices such as mobile phones, PDAs and palm top

computers. It supports the following typical uses:

Provisioning Configuration of the device (including first time use), enabling anddisabling features

Configuration of Device Allow changes to settings and parameters of the device


6/22



Software Upgrades Provide for new software and/or bug fixes to be loaded onthe device, including applications and system software.

Fault Management Report errors from the device, query about status of device

Since OMA DM specification is aimed at mobile devices, it is designed with sensitivity tothe following:

Small foot-print devices: where memory and storage space may be limited Constrained Bandwidth of communication: Such as in wireless connectivity Tight security: As the devices are vulnerable to virus attacks and the like; Authentication and challenges: Are made part of the specifications

Why the sudden demand for managing mobile devices?

The popularity in usage of personal smartphones and tablets has created a strong

demand to use personal devices at work. Employees feel more comfortable in using theirown personal devices for work and are willing to bear the cost of liability, maintenance

and upgrades. Employee morale boost and cost savings to the employer are the majorattractive factors to opt for the employee-liable approach to use their personal devices at

workplace. Also, the obvious networking advantages offered to C-level executives,

managers and top management directors for extending the business growth andexploring profitable avenues while on the move presents a compelling case to use mobile

devices at workplace or during travel.

However, risks associated with these devices such as sensitive corporate data going into

wrong hands and dangers of facing litigation suits due to intentional/unintentional databreach or data losses suffered due to lost/misplaced device makes a ready case for

managing the mobile devices. There are also legal and HR related issues that need to be

ironed out if there is a case of adopting employee-liable ownership approach for the

accountability of the devices.

An organization will still be responsible to maintain security for these mobile devices as

per the SOX, HIPAA etc. federal mandates, but since the devices are not owned by theorganization, securing the device and the data becomes a tricky issue here as

organization may or may not own the mobile device in question at the first place. Thusenforcing accountability becomes tricky in such cases.

Using Mobile Device Management (MDM) solutions, organizations can partially ownthese devices by enforcing corporate policies and procedures to them. Hence the

importance of investing in MDM solution makes sense in these situations.


7/22



2.TYPICAL DESIGN OF MDM SOLUTION[1]Typically solutions include a server component, which sends out the management

commands to the mobile devices, and a client component, which runs on the handset,receives and implements the management commands. Optionally, vendor may provide

both the client and the server, in others client and server will come from differentsources.

Central remote management, using commands sent over the air, is the next step. An

administrator at the mobile operator, an enterprise IT data center or a handset OEM canuse an administrative console to update or configure any one handset, group or groups ofhandsets. This provides scalability benefits particularly when the fleet of managed

devices is large in size.


8/22



3.UNDERSTANDING BYOD AND MDMa. Bring Your Own Device (BYOD) policy and MDM in an enterprise[ 1 ] As Bring Your Own Device (BYOD) business policy is becoming more popular,

corporations can use MDM to allow employee-owned devices inside the corporate

firewall due to better device management capabilities. Employees also have morefreedom to choose the device that they like instead of being forced to use particular

brands by the IT department. Using MDM, IT departments can also manage the employeedevices over-the-air with minimal intervention in their schedules.

b. Are BYOD and MDM same things?[ 2 ] No. BYOD (Bring your own device) is a business policy of allow employees to use theirown devices for carrying out business related work by granting access to company

resources backed by proper authentication controls. BYOD represents a policy of offeringmobility to a very broad range of organization resources typically delivered either by

robust mobile policy, or managed via implementation of MDM, DaaS (Desktop as aService) etc.

MDM can be thought as a subset of BYOD, which is designed to securely manage mobile

device endpoints by enforcing corporate policies over-the-air to the employees mobile

devices.

c. If I have a BYOD policy at my company, is MDM deploymentnecessary?

If you have designed and implemented robust BYOD policy properly across yourorganization then you have to evaluate your options carefully before going for MDM

solution. If the primary aim to adopt BYOD was to get rid of device ownership only, it willnot make sense to invest in MDM (esp. if your company is small or medium sized).

However, if your aim is to prevent sensitive data leakage and enforce device securitysettings for employees as they access sensitive corporate resources, or if your business is

rapidly scaling up, it definitely makes sense to implement MDM. Keep in mind that a

proper mobile security policy has to be there in any case to protect vital corporateinformation.

MDM helps to reduce costs and improve productivity in longer run when implemented

correctly for the organization. If implemented improperly on loosely defined security

policy, it becomes expensive to maintain and achieves little to safeguard sensitivecorporate information. Hence, proper care and precautions are needed to develop robust

mobile security policy before opting for MDM solution.

d. Okay, so how do I effectively communicate mobile security policy toemployees?[ 1 2 ]

Effective Communication means making the employees understand the policy as easily aspossible. Make it simple and direct while keeping it short, sweet and to the point. If you

can get employees to be aware of the security elements in your environment, they will be


9/22



the ones who will spot things report it immediately assuming they know what to spot andknow who to report it to. Make them aware of BYOD security policy first, not MDM.

Help your employees understand what is at risk. It comprises not just theft, loss or theexposure of information or device, but other risks, which they face while they are mobile.

Make them aware of the risks involved in the types of environments that they encounterwhile being mobile and how they should address them.


10/22



4.ADOPTING "PERSONAL-LIABLE APPROACH" FOR MOBILEDEVICES[3]

a. Benefits in adopting "Personal-liable approach" for personal mobiledevices

Many organizations may offer their employees a fixed monthly stipend to help offset theirmonthly voice and data bill. This approach results in predictable mobile expenses for the

corporation, and employees become responsible for the costs of their mobile devices and

data plans. Hence, expenses related to mobility-related asset management such asacquisition, maintenance, processing of payment for carrier invoices and disposal of

devices can be heavily reduced or eliminated.

The organization may also position itself as flexible employer and may be able to recruitand retain tech-savvy workers, who typically have a strong attachment to a favouritemobility platform. Productivity can be increased as employees have more options when

working out of the office. Additionally, organizations may be able to secure reducedmonthly costs for service and premiere-level support from the carriers for theiremployees.

It is generally observed that employees take better care of their personal belongings as

they are more attached to their devices because of the ownership they assume over them.

b. Security costs incurred for adopting personal-liable approachWhile the personal-liable model offers benefits for both employees and employers,addressing the important issues of security and governance become more complicated

and expensive. When sensitive corporate information is stored on a corporate-owned

device, the organization can implement and enforce strict controls on the operatingsystem and other features of the device, such as Wi-Fi and Bluetooth to preventunauthorized use of that sensitive information. But this is not the case in personal-liable

approach as the device owned by the employee is not a corporate asset but may carrysensitive corporate data.

Security measures are required to mitigate the risks associated with employees installing

applications from app stores. These untrusted applications may expose corporate data or

infect other devices in the organizations network. Also, the company might experienceadditional expenses to support multiple mobility platforms.

Support costs may increase as more, and higher-skilled, help desk personnel arerequired. Similarly, application development costs may increase. Organizations must

implement an employee agreement to address topics that include acceptable use ofpersonal devices and corporate access to the employees device. The financial

arrangements relating to stipends or reimbursement of actual expenses should also beincluded in this employee agreement. Corporate counsel should carefully weigh anyrecord-keeping requirements for SMS text messages or call logs made from mobile

devices and evaluate potential legal consequences of capturing this information fromemployee-owned devices.


11/22



Finally, employees may discover unexpected expenses associated with using their

personal device for work. While their current voice and data plans may be sufficient for

personal use, usage may expand dramatically when used for work calls and applications.The cost increase may be sharp; especially for employees who travel internationally,

where roaming charges are make the costs very expensive. If the organizationreimburses for actual costs, an employee may find that they spend several hours a month

separating their personal costs prior to submitting the bill for reimbursement.

c. Questions to ask before opting for Personal-liable approach forMDM

Are there any specific concerns that would preclude the use of employee-owneddevices?

Is the organization willing to implement additional security controls to allow abroader range of devices?

Is the corporation willing to accept a short-term increase in risk to allow newerplatforms access to data while the devices management and security tools

mature?

How will the organization respond to inappropriate material on a personally-owned device? Who decides what is inappropriate?

Under what conditions the organization could examine the personal property ofan employee?

What are the laws in your jurisdiction? Do laws differ whether the employee usesthe device for their own convenience?

If the risks associated with personal-liable approach are too high, is there a subsetof employees with a lower overall risk profile that might qualify for personally-

owned devices?


12/22



5.SELECTING OPTIMAL MDM DELIVERY METHODOLOGY[9]Three MDM Delivery mechanisms are available which you can choose depending on your

staff expertise and investment you are willing to make for deploying MDM in yourorganization.

a. Premise-basedIf you want to maintain a high degree of control and also have reliable IT skills and

resources, then would likely select a premise-based solution. This is ideal if you prefer todirectly control the systems security and administration. A premised-based MDM

solution requires a larger up-front investment.

b. Software as a Service (SaaS)If you dont want to maintain servers at your site(s) but still want the management and

administration to be in your hands, then you should consider an on-demand offering.Customers can negate or minimize the up-front cost and instead pay a monthly or annual

fee for the system.

c. Managed ServicesIf your IT department is over-extended or lacks required expertise, you can consider

managed services offering. This option allows you to turn the management function over

to experts who handle it for you. This proactive management service provides supportwithout draining internal resources and still provides regular status reports so that you

are aware of specific items like roll-outs, software/hardware updates andasset/inventory control.

Consider each method carefully. Enquire the vendor to look for one that can support all of

the deployment options to best serve you now and into the future.


13/22



6.DESIGNING BYOD POLICY BEFORE DEPLOYING MDM[5]A successful MDM implementation cannot be completed without proper planning of

BYOD business policy and procedures. While BYOD policies establish a common groundof communication between the employer and the employee and defines the boundaries of

data ownership present of the personal mobile devices, MDM offer the employer andorganization a peace of mind if any unwanted incident is reported. The security of the

data can be then be managed via remote wipe, encryption, self wipe etc.

a. Do your Homework Work with Legal and HR dept. to define personal device policy aligning with

organization information policy

Use Social Media to engage the dialogue with employees to get a feel of their workstyle and support needs

Develop new authentication methods and device management policies that helpsafeguard corporate information and intellectual property.

Provide employee trainings for information security and IT Service Deskpersonnel about personal device policy.

By applying safeguards to protect information and intellectual property, employees can

select the tools that suit their personal work styles and facilitate their job duties. Thisimproves their productivity and job satisfaction.

Identify minimum security specifications such as, Make Two- factor authentication mandatory to push e-mail Secure Storage using encryption Security policy setting and restrictions Secure informational transmittal Remote Wipe capability Ability to check viruses from server side Patch management and enforcement software for rules IDS capabilities on server side of connection

b. Identify user needsConstruct blog/online poll or questionnaire to find out the needs of the user. Take user

feedback on questions such as such as:

Why do you want to use your own device(s) for work? What would you give up to use your device for work? What does your personal device do to help you work? Would you increase security habits for more device freedom?

By analyzing the responses with close collaboration with HR and Legal Team, you can

make informed decisions about going forward for forming the policy on usage of mobiledevices.


14/22



c. Enacting a End-User License Agreement (EULA) corporate policyThe EULA provides the employees very clear instructions of what they can or can't dowith a device. Stress has to be placed for managing and protecting the corporate datastored on the device. Also, emphasis has to be placed not to share the un-locked device

with non-corporate user including friends or family etc. If any company's data resides ontheir devices, they should be backed up to company owned device by default. Types of

devices allowed such as tablets, smartphones etc. must be stated clearly in policy. The

EULA policy must be generic enough to cover all the allowed devices sufficiently.

EULA must be reviewed preferably each quarter to ensure as the technology and user

demand change, legal protection provided by the policy remains up to date. Users must

re-sign the updated EULA when they move to new technology. Finally, it should be madeclear that employees who refuse to sign EULA can't use personal devices to accesscorporate information.

d. Addressing the privacy concernsFor addressing the privacy concerns, policy must clearly define the following terms:

Corporate-own data: Business Data or intellectual property owned by company. Employee-owned data: Data owned by employee, such as task list, notes, family

photos.

Personal data: Data controlled by privacy legislation such as medical records,home address.

In cases where there is a cross-over between personal and corporate-owned data such as

calendar records, the policy should state clearly that during investigation, the confiscated

device's personal data may be viewed during forensic analysis.

e. HR and Legal concernsHR policy must state clearly under what circumstances the employees will be subjected

to be compensated outside their working hours. Time sheets must adequately reflect

those activities. Legal policy must state that in case of legal hold or eDiscovery, the

employee must immediately surrender his/her device on request after which all files maybe copied and relevant ones may be used to pursue legal matter. Employees who aresubjected to legal hold might have certain restrictions for device usage and should obey

to continue work under those restrictions.

f . Training Users and Helpdesk SupportStating the policy is the easy part. The hard part is to train users about what policy meansand how to protect information on their devices as the BYOD trend and MDM

implementation is relatively young and not well understood by users. Users must be

made aware of the risks/penalties that will result if sensitive corporate information isleaked out by accident/intention. Sharing the device with family and friends should be

discouraged and employees must be made aware of the risks that might emerge in adventof such behaviour. Violation of these rules must attract appropriate disciplinary controls


15/22



as defined by the policy. It is crucial for employees to understand that the helpdesk is tobe contacted first in case of lost/stolen device. Once the incident is reported, helpdesk

can quickly issue a data wipe on device over carrier wave. Many employees in a wave of

panic might inform carrier service about the device lost/stolen first. In such cases, datawipe can't be issued as the carrier service has already been shut down on request of

employee. Any charges incurred such as fraudulent calls etc may be reimbursed bycompany later.

Apart from employees, helpdesk and support staff must undergo mandatory training toreduce any chances of miscommunication for any query raised by the employees. Care

must be taken they don't accidently invalidate EULA policy by supplying incorrect

answers. Here, extensive mock drills must be conducted after every policy review or

revision to minimize such incidents from taking place. FAQ's manuals must be made

available online to everyone for ready reference.g. Addressing Authentication issuesFor better security, two-factor authentication is used for accessing the corporateinformation. But since the device is unknown in this case, challenge lies how to achieve it.For this, a random text message is sent to predefined phone number. Thus, the text

message sent by server is "must-know" factor and phone number is the "must-have"

factor which enables 2-factor authentication.

h. Defining Mobile Device Security Rules [ 1 2 ] A device used for accessing corporate data must have the following pre-requisites

The device user must have signed company's EULA policy. It must have personal identification number (PIN) It has to support a code lock It has to have an auto lockout feature It has to support encryption It has to support remote wipe.

Further, Security Policies must be enforced via MDM such as:

User-defined lock code of minimum length as defined in policy. Auto-Lockout period set as per policy Issuing Data Wipe if user reports the device to be stolen Automated Data Wipe issued (for corporate-data only or both) after x no of

incorrect tries to open lock-screen.

All corporate data is encrypted with a strong key


16/22



7.MDMDEPLOYMENT[8]Essential components of MDM to consider during deployment phase are:

a. PolicyA well defined policy provides management direction and support for IT and information

security and is the foundation for solid framework implementation.

b. Risk ManagementPeriodic assessment of risk should be done. For high risk cases, additional controls maybe implemented to reduce risk to an acceptable level. Similarly for low or non-existent

risks, minimal controls may suffice.

c. Configuration ManagementThis involves automatic configuration of device settings like password policy, email, Wi-Fi, VPN. This aids in elimination of user errors and minimizes vulnerabilities caused by

misconfiguration. This also includes configuration lockdown as per user's role basedpermissions to enforce corporate IT mobility policies.

d. Software DistributionThis includes over-the-air updates/patches for OSs, applications, synchronization, fixes

etc. Backup and restore operations become vital in situations of device crash and

replacement in case of any intentional/unintentional wipe-out. When aligned withcorporate mobile policies, it is ensured that only trusted mobile applications are

distributed. Together with Configuration management, software distribution enables

white-listing/black-listing of applications on mobile devices. For maximum efficiency, itis recommended to test the mobile applications separately to check for theirtrustworthiness before distributing them over-the-air via MDM.

e. Procurement issuesIt is important to coordinate with the HR and Legal teams to define certain terms and

conditions in policy and employee agreements. Liability for all parties must be clearly

defined in these agreements. This should include private usage of corporate services,expense compensations, employee privacy policy, shared responsibilities for device andcontent security, misuse, secure wipe of device including personal data in case of device

lost/theft etc.

f . Device policy compliance and enforcementThis is involved in device supply, control and tracking. Asset based inventory assessmentare critical prerequisites for policy enforcement to comply with corporate/regulatorymandates around policies, jail-broken/rooted device detection, encryption, privacy based

separation of corporate content vs. personal content etc. It is also concerned about thealerts and notifications for asset reporting about devices, users and apps. Overall, it

provides an effective governing control over mobile end point devices which can beeasily tested against ISMS standards such as ISO 27001 making it easier for audit

activities also.


17/22



g. Enterprise Activation / De-ActivationProper implementation of this functionality to connect mobile devices to enterprise

network reduces the administrative burden of provisioning and re-provisioning at IT-department. Details exchanged with the server typically include OS, Device Identifier,

IMEI number etc. After activation, some configuration settings might be changed such asenable encryption, password settings, application restrictions etc.

h. Enterprise Asset DispositionThis involves removal of physical devices by de-commission; releasing to BYOD owner incase of device exchange, upgrade or permanent de-commissioning. Follow-up procedures

include notifying inventory management, generating user receipt and accepting useracknowledgement etc. If decommissioning is permanent, secure wipe of corporate data

must be done and it should be handed over to employee along with his private data

untouched.

i. User Activity LoggingLogging must be done carefully in accordance of various privacy laws, rules and

regulations of the country in which company operates its business. Professional legal

counsel must be approached before defining the policies governing the user activitylogging.

j . Security SettingsThese can be categorized to user security and data security. Data security consists ofwiping corporate data/personal data in case of device lost/theft. They also extend to role

based user permissions enforced via MDM solutions. User security consists ofencryption, authentication on enterprise portal login; lock code and selective wipe in caseremote wipe is issued. Selective wipe leaves personal data as it is and only erases

corporate data residing in mobile device. It also covers certificate based authentication.


18/22



8.CHALLENGES DURING MDM IMPLEMENTATION[6]a. Hidden costs and corporate governance issuesEnterprises typically see the MDM implementation as a measure to save costs and

manage mobile endpoints effectively in this process. Often MDM is seen as a

complementary practice exercise in tandem with BYOD policy. But the reality is that ifyour BYOD business policy is not properly defined or effectively enforced, having a MDM

solution will be patchy at its best and grow cost prohibitive at its worst.

Also, mobile OSs are natively run in sandboxed environment and hence unlessrooted/jail-broken will pose great difficulty to enforce corporate policies. But as mobileOS system themselves evolve over time, many MDM like features will be provided

natively by them.

Corporate governance becomes complex as mobile endpoints are added in assetinventory which may or may not be owned by the enterprise. If your mobile device policyor BYOD policy is not properly defined, MDM may report false positives or large no of

false negatives if not properly implemented. This will lower down employee morale and

cause confusion and mayhem at workplace. Cost escalation might be the direct

consequence of bad implementation on MDM solution.

b. Employee unawareness about information security while usingmobile endpoints

Employees may freely share their devices with their co-workers, family members orfriends, which can increase the chances of accidental data breaches of corporate

information. Identity theft may result in extreme cases and if some unwanted orintentional damage is caused by that, the blame squarely rests on employee and he might

have to suffer the consequences such as job dismissal in case of fraud done by "his

(enemy) friend". Using social engineering, competitors can fool the employee intorevealing the details by handling over his mobile device for "few minutes" gathering

valuable information for corporate espionage.

To counteract these threats and associated risk, information security awareness

programs and trainings must be conducted on mandatory attendance basis to equip

employees to counter such attacks.


19/22



9.PICKING THE RIGHT MDM VENDOR[4]Observing closely, security features such as remote wipe, encryption, enforce password

requirement are pretty standard and are provided by almost all the vendors. So, look atthe other areas where you could address your business needs better.

Key factors to consider while shopping for MDM solution:

Deployments: Assess how efficiently the MDM agent can be deployed on a newdevice. Deploying new phones isn't a one-time job; it's never-ending.

White-list and blacklist filters: You'll have apps that every employee must installsome that are banned and some apps that you insist are updated to at least a

certain version.

Custom Appstore: Is there a feature offered by MDM vendor for installing custom,unapproved apps and setting up a company app store experience?

Application Security: Does the MDM vendor offer built-in support for maliciousapplication scanning?

Browser security: Filtered Mobile Web browsing can lower the risk of attack on adevice. Is the MDM provider implementing this level of security?

Encryption levels: Do you have to encrypt the entire device, or the MDM providerlets you encrypt company specific or selected files and folders?

Data wiping: Is there is a support for Selective wipe which erases only corporatedata in case a remote wipe is issued?

Auto-provisioning of devices: Is there any option for Automatic deviceprovisioning?

Architecture: Examine the vendor's approach to MDM solution such as sandbox,virtualization or integrated approach. This is important in understanding the

vendor's technology and your future road map planning.

Location capabilities and network access restrictions: Do you want to letemployees use their device's camera for personal use but not at the office? Look

whether the MDM solution supports such policies. How robust are the policies?

Inventory management: Is it easy to search, custom filter and modify individualmobile endpoints for hundreds of managed mobile devices? What are the filtering

capabilities provided?

Reports: Is there built-in reporting for new devices provisioned, apps out ofcompliance and devices that haven't checked in for a day or a week?


20/22



10.MDM VENDORS a. Popular MDM Vendor List

MobileIron AirWatch Zenprise Good Technology FiberLink BoxTone

b. Salient Features of some of the leading MDM vendors [ 1 1 ] MobileIron:

Healthy mix of partnership relations with distribution channels and OEMs such asAT&T, Vodafone, Apple, Google, Microsoft, RIM, Cisco HP and IBM

Demonstrates life cycle management, including usage monitoring, cost control,application deployment and version control.

Offers strong support for corporate and personal devices. Strong reporting and dashboard capabilities. Supports text messaging archiving for devices connected to corporate email

AirWatch:

Has a strong security focus, with enterprise integration services that encrypttraffic between enterprise's servers and its cloud system.

Offers Web-based as well as agent-based enrolment. Strong capability to profile, with detailed and easy-to-use policy settings. Has strong administrative interface which is easy to use and manage. Easily scalable and can support large numbers of users across multiple areas.

Zenprise:

Zenprise Mobile DLP provides innovative secure container solutions to operatelocal mobile devices, as well as to be accessed in the cloud.

Application-blacklisting technique works across Apple iOS and Google Androiddevices.

Offers its own secure Web gateway and can also integrate with Blue Coat Systemsand Palo Alto Networks.

Good Technology:

Large installed base in regulated sectors, such as financial services, government,defense, public sector, healthcare and professional services.

Good Technology has the strongest implementation of containerization, Have strong security capabilities, including FIPS 140-2 crypto libraries, end-to-

end 192-bit encryption, multiple-factor authentication and multiple certifications.


21/22



11. HOW WE CAN HELP YOUR ORGANIZATION?a. Strong support of Solutions TeamNII has been working in close association with leading MDM solution products. Our

solution team is well trained and qualified to handle any support related queries you may

have.

Currently we have actively associated our MDM partnership with MobileIron. Our teamconsists of certified MobileIron experts who understand each and every module of the

solution and have extensive hands on experience.

b. Security Awareness TrainingsWe conduct numerous security trainings for our clients and help them to understand the

risks faced by carrying corporate data on their mobile devices. We put forward theprecautions and industry best practices they need to follow for securing the sensitive

information.

c. Social Engineering ExercisesWe also conduct live sessions on social engineering exercises which demonstrate by

practical examples how even a reasonably well informed person about security can be

easily tipped off by cleverly crafted social engineering attacks. Having knowledge of thesekind of attacks makes sure your corporate data is secure in hands of your employees.


22/22


12.REFERENCES 1. http://en.wikipedia.org/wiki/Mobile_device_management2. http://en.wikipedia.org/wiki/Bring_your_own_device3. http://www.secureworks.com/resources/whitepapers-shortcut/745684. http://www.informationweek.com/global-cio/interviews/byod-why-mobile-

device-management-isnt-e/240142450

5.

http://www.intel.in/content/dam/www/public/us/en/documents/best-practices/enabling-employee-owned-smart-phones-in-the-enterprise.pdf

6. http://software.intel.com/sites/billboard/sites/default/files/Maintaining_Info_Security_Allowing_Personal_Hand_Held_Devices_Enterprise.pdf

7. https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Guidance_v1.pdf

8. https://downloads.cloudsecurityalliance.org/initiatives/mobile/Mobile_Device_Management_Key_Components.pdf

9. http://www.wavelink.com/whitepapers/avalanche-delivery-whitepaper.pdf10.http://i.dell.com/sites/content/business/solutions/whitepapers/en/Documents/

unlocking-power-mobile-device-management.pdf

11.https://dell.symantec.com/system/files/Magic_Quadrant_for_Mobile_Device_Management_Software.pdf

12.http://searchsecurity.techtarget.com/news/2240148521/BYOD-security-policy-not-MDM-at-heart-of-smartphone-security

13.http://boxtone.com/white-paper-lp/enterprise-iphone-ipad-ciso-security-wp-web.aspx

14.http://info.desktone.com/whitepaper-byod-implications-for-it-virtual-desktops.html