Managing a herd of escaped cats
This month we are looking at mobile device security or, more commonly, mobile device management (MDM). The products that we saw were a mixed bag of on-premises and cloud-based. The on-prem products were software that we deployed in our virtual environment. The SC Lab test bed virtual host is VMware 5.1 and it took our install well and behaved efficiently.
One thing that we noticed was that some of the major players in this field were notably missing. It would have been nice to have seen some of the more frequently deployed systems as well as the ones we got – not to say that these were not popular… they are. However, this is a more open field than this month's products imply.
Another thing that we saw was that the mixed bag extends to support. We saw good and not so good. In one case, material facts about the market were completely misrepresented to us. Subsequent research showed us that the “facts” as presented were not accurate. This can be a consequence of a very competitive market where some vendors feel the need to disparage their competitors. What was it that Ray Noorda of Novell fame said about “co-opetition” back in 1992? Apparently those were the “good ol' days.” No such gentility today. If we learned anything during our testing it was caveat emptor [“Let the buyer beware”].
Generally, MDM can do a couple of things, such as encapsulating apps so that only protected apps can be used on mobile devices. They can subdivide the storage/user space into personal and organizational. The organizational compartment is under full control of the organization's system administrator while the personal container is not. That means that the system admin can wipe the organizational data from a lost or stolen personal device while not touching the personal data, such as personal emails, photos, music and the like.
The big challenge today, of course, continues to be BYOD. There were several aspects of some of the tools we saw that, rather than make BYOD safer for the organization, they would discourage the device's owner from using the device for any organizational business or data. We were involved from the security side in deploying a small MDM at a university (fewer than 500 employees) and we saw that phenomenon much to our surprise.
Another thing we saw was that deploying these tools is not a walk in the park no matter what the vendor tells you. There is a lot that can go wrong if you are not careful as you set up policies. The bottom line is plan, plan and plan some more.
For all of that, though, it was a fascinating walk on the moderately wild side of digital security. However, BYOD is here to stay – although we know of more than one organization that has decided to provide mobile devices rather than mess with BYOD. Worth considering, certainly, especially if you are low on admin resources.
The objective in MDM is managing a herd of escaped cats and it is almost that easy. People don't like the organization messing with their devices so the “messing” needs to be kept as transparent to the user as possible. It never should interfere with correct user behavior, should protect the organization and, in some cases, protect the user. If deployment, provisioning, support, management and daily use are not transparent to the user, admins and help desk engineers will learn what “caterwauling” really means.