MDM is Not a Silver Bullet
MDM is Not a Silver Bullet is the fifth blog post in a series entitled the “Top 10 Considerations for your Enterprise Mobile Strategy”. To receive the rest of the considerations directly to your inbox, sign up using the form on the left!
The Introduction of BYOD
With the proliferation of employee owned mobile devices, IT departments are looking for ways to mitigate the risk of corporate data being exposed on devices outside of the typical scope of IT control. In some ways this is not a new scenario for IT. However, in the past, the prevalent use cases on these types of personal devices were limited to the ability to connect to corporate email. Most enterprise email platforms offered some capability to remotely manage the data on the mobile device – or at least remove this data remotely. Thus there was limited risk associated with data loss and IT was comfortable supporting this scenario. With the explosive growth of personal smartphones over the past few years and with users demanding deeper access into corporate data, IT teams are now dealing with a more disruptive change. This BYOD phenomenon and the associated consumerization of IT has been covered in great detail in some of our blog posts.
IT saw BYOD as a loss of control from the traditional models of governance and control but is starting to see BYOD as a cost saving opportunity.
Associated with this change in mindset is an understandable desire to have some level of control. In the minds of most IT departments this essential level of control comes by way of acquiring a Mobile Device Management (MDM) solution.
It is no surprise then that MDM software is finding its way on to the list of essential items on the corporate IT budget. IT departments have either acquired or are contemplating some type of MDM solution. Correspondingly, MDM vendors are seeing great success in acquiring new customers. Corporate mobile service providers are adding MDM platforms by acquiring or partnering with MDM companies.
The typical adoption associated with MDM starts with the identification of a MDM platform, establishing the platform; in-house or in a SaaS model, launching a pilot to manage a subset of corporate and employee devices, with hopes to grow it into a discipline under IT. We have seen most MDM initiatives struggle to achieve maturity beyond this point. This is the point of realization that the MDM solution is only a component of the BYOD puzzle and a lot more is needed to be effective in deploying a BYOD platform. Hence the appropriate yet clichéd “silver bullet” title to this blog post.
5 Considerations for BYOD Success
What is it then that defines the various components of a BYOD program? We like to talk about it as the BYOD Component Model. This component model has served us and many of our clients well in standing up their BYOD programs.
We have used this to define our approach within our BYOD and MDM Kickstart. Our approach focuses on understanding the readiness of each of these components in the organization’s current context and creating a roadmap for successful BYOD/MDM launch. With the component model serving as the backdrop, we offer the following 5 considerations for BYOD success that go beyond a MDM solution:
Policies come first, technology second
If your organization has not taken the time to define acceptable use polices for mobile devices, if you have not yet understood the expected user behavior in response to these policies, and if you have not yet defined the governance and control mechanisms around these policies, your organization will struggle to implement a effective MDM solution. It is important to view your MDM platform as a way to monitor and govern understood polices rather than trying to use the MDM platform as a way to roll out mobile device policies. Get your Legal and HR teams on board as you develop these policies, get their approvals prior to trying to manage them through the MDM platform.
Be realistic in what you manage
MDM platforms can give IT significant control over mobile devices. In some ways too much control. This can be a double-edged sword. MDM platforms by design have been architected to meet the demands of situations that require a very high degree of “lock-down” to meet regulatory audits. However, this high level of control can easily be over exercised by over ambitious IT groups. As an example, requiring passwords on a device is a capability that can be enforced as past of a policy on a device under MDM control. However, nuances such as; how often the password is changed, how strong the password needs to be, how quickly the device is locked on inactivity, all require a careful balance against the type of usage on the device. In addition many IT teams attempt to close security “holes” on mobile devices, such as the ability to forward documents or copy them locally, even though these abilities (and more) are available on the user’s laptop or desktop.
Weigh the separation of personal and corporate
Most MDM solutions today accommodate the need to create a separation between corporate and personal data. However, we cannot overemphasize the importance of two aspects associated with this capability.
- Communicating and educating users how the MDM solution can maintain this separation. These devices have become very “personal” and the thought of someone else installing software on them generates visions of big brother watching over their usage of the device.
- Allowing users to back up personal data and be responsible for their own data. We have seen some clumsy attempts to limit the ability to sync the devices via USB connected mechanisms or over the air sync. Correspondingly the user has no way of backing up their data.
Measure the risk of data breach
A device being used by a member of the board of directors of a company needs to be identified and managed to a different security profile than a user device that occasionally connects to the corporate file system to look up the annual holiday schedule. We advice companies to categorize devices into Trusted, Semi-Trusted, Untrusted and Restricted based on the usage characteristics. While policy creation needs to be done at a much more granular level, this higher level of categorization allows corporate IT to understand the variety of risk profiles of the types of devices to be managed by MDM. The risk associated with the breach of a device in one category may be very different than that in another category. This understanding of the risk can be important in the appropriate level of MDM control that is applied in each category. Correspondingly, users in each category can understand the associated risk and are open to be subjected to a higher level of control by IT.
Understand the impact on IT support processes
While the MDM platform can see every device that is enrolled under the BYOD platform as well as all corporate devices, IT cannot be expected to provide the same level of support as was typically associated with laptops, desktops, etc. This situation is further complicated by the fact that the IT Help Desk cannot be expected to troubleshoot every possible device OS, wireless carrier related issue, or for that matter resolve questions associated with every possible App that can be downloaded from the public App stores. In several cases creating a way for users to find help by way of self-service resources is an acceptable level of service. However, for critical issues such as a lost device, password reset or other such critical issues, IT needs to be able to provide a clear and easy path to get support. Getting all stakeholders including your service providers, carriers and users can be critical.
We hope you’re enjoying this series on The Top 10 Considerations for Enterprise Mobile Strategy. If you liked this tip, and want to receive the others as they’re released, sign up using the form on the left. In addition, read more about our approach to standing up a successful BYOD Strategy and MDM Program and see how we’ve helped organizations similar to yours.