MDM and BYOD: A square peg for a round hole
Rob Greer, VP of enterprise mobility group, Symantec
It seems no matter where one turns, bring-your-own-device (BYOD) is being shouted from the enterprise rooftops – especially as it applies to smartphones and tablets.
In fact, it seems the only group not excited about BYOD is IT – the ones who have to figure out how to keep sensitive corporate information safe. IT's consternation over BYOD is made worse by the fact that many think mobile device management (MDM) is the only tool available to contain the risks associated with BYOD, which is not the case.
MDM will always have a place in the enterprise because BYOD will simply never be the right approach for every employee. However, when it comes to BYOD implementations, MDM is not ideal. Thankfully, a better option exists. Mobile application management (MAM) presents an intriguing option for preparing for and avoiding the hazards of BYOD.
To understand why this is the case, it is important to acknowledge the three primary considerations that must be taken into account when it comes to enterprise BYOD implementations. Doing so will help identify the weaknesses of using MDM alone to manage BYOD devices.
The first consideration is how much management of user-owned devices connecting to corporate resources a company wants to be involved in. An anticipated benefit of implementing BYOD is no longer having to fully manage employees' mobile devices. In return, support costs are hopefully reduced. However, this aspiration is obviously negated by electing to use MDM, which is a device-level management technology. In other words, using MDM, companies are forced to completely manage user-owned devices and incur the costs of doing so.
Using MDM to fully manage user-owned devices also often results in intruding on the personal use of those devices that goes beyond the corporate data and resources on them. When faced with this reality, users often become disgruntled, resulting in additional headaches for IT.
The next consideration is how business-related apps and email access will be delivered to user-owned devices. After all, without providing BYOD users with adequate access to such apps and corporate resources, having a BYOD program loses its luster quickly. Thus, a delivery mechanism for providing corporate apps and resources to BYOD users must be put in place. This issue might seem simple on the surface, but it is actually fairly complex.
Finally, companies must ask themselves how the corporate apps, including email access (and especially the potentially sensitive data tied to them), will be secured once they are on user-owned mobile devices and what will happen to them when employees leave the company. This is really the golden question.
Again, this takes us back to the first consideration – how involved a company wants to be in managing user-owned devices. If user-owned devices are fully managed by an enterprise, the apps and resources can be made secure, but the other issues associated with the complete management of user-owned devices are brought to the surface.
To recap, MDM is technically a viable method to both deliver applications to user-owned devices and secure the corporate apps and data on them. Thus, MDM does address considerations two and three above. However, all of the concerns and issues associated with complete enterprise management of user-owned devices are also fully set in motion.
This is where MAM comes in. MAM, in contrast to MDM, allows for application-level management on user-owned devices. As a result, MAM completely negates the issues listed above that are associated with fully managing user-owned devices via MDM. At the same time it also addresses considerations two and three above just as well as, if not better than, MDM.
It does this by allowing enterprises to “wrap” each of their corporate apps and the data tied to them in their own security and management layers. This gives enterprises complete control of their apps and data while leaving untouched the devices themselves and also users' experiences with those devices.
In other words, with MAM controls such as authentication, encryption and expiration can all be applied to corporate apps and other resources on otherwise unmanaged, user-owned devices.
In addition, good MAM solutions provide app portals that are tailored to each user to deliver the appropriate corporate apps to individual user-owned devices. In this way, the user experience of downloading necessary corporate resources is as simple and streamlined as visiting a public app store, but enterprises can ensure that users are only being given access to the resources they have permission to download.
In short, using MDM alone to manage BYOD devices is a lot like trying to fit a square peg in a round hole. Is it possible? Sure, but it's going to be difficult, and what you end up with might not look like what you were initially planning for. Alternatively, MAM can be the round peg perfectly suited for BYOD. With it in place, the secure use of user-owned mobile devices in the enterprise – without hindering users' experiences with their devices – is entirely possible.