Enforcing Mobile Device Policies

Mobile device managers (MDMs) use native device capabilities and/or installed agents to deliver central visibility and control.

MDMs pull diverse devices under one umbrella by leveraging device APIs, protocols and hardware capabilities. However, more may be required to deliver enterprise-class visibility and control over consumer devices.

For example, Microsoft Exchange Server can be used to check policy settings such as MinDevicePasswordLength or RequireDeviceEncryption on devices that speak the Exchange ActiveSync (EAS) Provisioning Protocol (Figure 2). But EAS support varies–for example Android 2.1 phones don't implement passwords or encryption. This means that Exchange can be configured to block mailbox access by old Androids and enforce password use on newer Androids, no matter who owns them.

Unfortunately, EAS tackles just the tip of the iceberg. How can IT configure corporate mail accounts on BYO devices? How can IT install essential applications, such as secure messaging programs that insulate business data? How can IT prevent data breach if an EAS-compliant iPhone is jail-broken? MDMs can help fill these gaps – and more.

Drilling deeper

Depending on device and product, MDMs can extend policy enforcement in several ways.

1) MDM servers usually interact with device-resident agents. Agents are installed on BYO devices by visiting the Apple AppStore, Android Market, Microsoft Marketplace, etc. Upon launch, the agent guides the user through self-enrollment with your MDM server. Thereafter, the agent periodically checks in with your MDM server; async commands such as remote lock may also be sent via SMS or TCP.

2) MDM servers may also interact with Apple devices using iOS4 MDM. In this case, users visit a web page to complete enrollment with your company's MDM server. Thereafter, requests from your MDM server are relayed by Apple's Push Notification Service (APNS) to enrolled devices. Once notified, devices respond directly to your server.

3) Some MDM servers proxy EAS. In this case, whenever a managed mobile device interacts with Exchange, that traffic passes through an MDM gateway. This lets the MDM integrate devices that speak nothing more than EAS or block access by non-compliant devices.

These approaches are not mutually exclusive, but all require a corporate MDM server. Most MDM servers are deployed on an enterprise DMZ with easy access to a user directory and mail server. Alternatively, hosted or multi-tenant MDM servers can be deployed at a provider, with or without directory or EAS integration.