The first step in establishing mobile device management in a meaningful way is to develop acceptable usage rules. This means answering a few basic questions and then translating these answers into a formal policy.
For example, can users access network resources from their personal devices? Or is access restricted to corporate property terminals? It is also important to determine if there are any restrictions on the types of terminals that employees are allowed to use. For example, is there a problem with users connecting to the network with a first-generation iPhone, or should the IT department limit connectivity to devices with the latest operating systems?
Once these mobile device rules are in place, the next step is to look for an administration tool to implement them. One of the first concerns that IT must take into account is security. But despite the significant differences between today’s mobile devices, most share some common security basics.
Before the IT can apply security rules to a terminal, the network must recognize it. Most mobile devices can not join a domain, so mobile device management tools (MDMs) need to enlist them. This registration process allows the network to identify the terminal, and the IT to administer it.
Many publishers go further in the enrollment process, and offer tools that allow the user to enroll their own device. In this way, organizations that allow users to work from personal devices can shift the burden of enrollment onto their associates. It is possible to enroll a terminal in seconds, but no one wants to manually enroll hundreds or thousands of them. Letting users enroll their devices themselves gives them the flexibility to add new devices at any time and frees the management teams from manual tasks.
Once a terminal is enrolled, the IT can secure it. Each MDM publisher takes a slightly different approach to endpoint security, but in most cases, enlistment and security processes are closely related. Some MDM tools allow administrators to prevent users from enrolling unauthorized devices. For example, an administrator can block the process for a device running an unsupported or outdated operating system, or if the device has been jailbroken or rooted .
Enlistment is also the time when the IT can ask the user to accept certain rules. Employees expect to use their personal devices as they see fit, but IT can not afford to allow behaviors that compromise the security of network resources. For this reason, the enrollment process requires the user to accept certain conditions of use, in accordance with the internal policy.
Once these conditions are accepted, the enrollment process ends and the device is secured. Not all terminals offer the same security settings, but the most common tend to be universal. As a result, MDM publishers can provide standardized interfaces that work with any type of device. These can be used to configure devices through specific APIs or standard mechanisms, such as Microsoft Exchange ActiveSync rules.
The diversity of terminals presents another challenge, for the distribution of applications this time around. In a homogeneous and controlled environment, application compatibility is not a big problem. If each PC has the same required hardware and operating system, administrators can expect to easily push applications on each of the company’s machines. But this is not true for today’s heterogeneous environments. An administrator can not push a heavy Windows client application to an Apple iOS device. Today, each terminal class has its own architecture and operating system. As a result, applications typically only work on one platform. If a user decides to work from their personal device,
MDM publishers take a variety of approaches to software distribution. Some publishers offer enterprise application stores that IT can pre-load with validated applications. If a user wants to install an application on his terminal, he simply connects to the application store and starts the download. The store check compatibility.
Organizations must comply with licensing requirements, but application stores simplify license management. First, most applications only allow enrolled endpoints to connect to the application store. Then, these stores can follow the licenses: when an administrator adds an application to the catalog, it specifies the number of available licenses. When a user installs the application, a license is deducted from this number. When uninstalling an application, a license is added.
MDM tools can make the difference between a user’s personal apps and business-provided apps. What to answer to the specific challenges presented by BYOD environments. When a user enters a personal device, the MDM tool tracks applications deployed by the company. And if the user decides to take full control over their device, the MDM tool may be able to remove the applications belonging to the company – and recover the corresponding licenses – without affecting personal applications. But the capabilities and methods for this vary from product to product.