Managing Mobile Device Settings and Applications

Mobile device managers (MDMs) can automate putting approved devices into service and managing them in accordance with IT policies.

Now that we know how MDMs integrate and communicate, let's look at capabilities they deliver.

Inventory Management: MDMs can enroll, provision, track and decommission corporate and BYO devices. Many use the Simple Certificate Enrollment Protocol (SCEP) to automate activation. Users may be authenticated against a directory, mapped to a group or role, checked against requirements and prompted to "sign" an acceptable use policy. Approved devices are then provisioned by pushing settings appropriate to each user/group and device. For example, iOS4 and Android 2.2 phones might be issued certificates and configured with per-user WLAN logins.

Policy Management: MDMs can define, maintain and apply policies governing device control and operation. For example, policies can specify conditions for continued corporate access and actions taken to address non-compliance. If a setting is changed or a banned application is installed, an MDM may trigger an alert, reset a password, block mailbox access, delete corporate data or remotely wipe the device. Supportable policies still depend on device type, but MDM can centrally enforce those policies on both corporate and BYO devices.

Security Management: MDMs can enforce mobile device security, including native authentication/encryption and add-on defenses. Common rules include PIN/password complexity and reuse, inactivity timeout, max failed logins and SD encryption. Defenses that might be installed by an MDM or even embedded in some MDM agents include encrypted data containers, firewall, VPN, anti-malware and jailbreak/root detection. Again, what is possible depends on device type; what is appropriate depends on corporate risk versus device ownership.

Software Management: MDMs can orchestrate OTA application deployment, installation, update, disablement and removal, subject to manufacturer and carrier restrictions. For example, MDM agents often display a catalog of recommended apps, but users may still be required to initiate public app downloads from the AppStore or Market. Some MDMs can also push enterprise app packages, license keys, settings and related data, removing them when a device is de-enrolled.

Service Management: MDMs can monitor and control network service use – for example, tracking call minutes, data bytes and roaming expenses during each billing cycle. Some MDM agents can take automated actions such as disabling network features when limits are exceeded.

Monitoring and Reporting: Finally, MDMs can keep tabs on mobile device location, status, and activities. MDM dashboards (Figure 3) often display real-time status and alert roll-ups (spanning all device types), supported by drill-down details and commands (adapted to each device's capabilities). Historical reports leverage data gathered by other management modules – for example, enumerating enrolled BYO devices or policy compliance violations.

When considering this laundry list, bear in mind that MDMs are still evolving. Identify and prioritize your own workforce's needs before searching for MDMs that claim to support those capabilities. Then dig deeper to learn the extent to which capabilities are delivered for each device type, and whether the MDM can support your intended policies.

In parts II and III, we drill into the specifics of how to use MDM to manage Android and iOS smartphones and tablets, with special emphasis on BYO device management.