Mobile Application Security: Mobile Device Management (MDM)
In the early days of smart phones, organizations were draconian in granting rights on employees' devices. What they found is that this approach proved to be inadequate as it decreased productivity and negated BYOD (Bring Your Own Device) opportunities. Nowadays, companies employ a much broader range of tools, services, and policies to maximize employees' freedom while keeping security risks under reasonable control. Part 1 of this series on Mobile Application Security focused on the prevention of injection attacks. Today's installment covers the role that Mobile Device Management (MDM) plays in endpoint security.
Endpoint Security Defined
In this context, the endpoint is the mobile device itself. With regards to endpoint security, it is the protecting of the physical device as well as the applications which run on it. The ever-growing need for endpoint security has given rise to a whole new field called Enterprise Mobility Management (EMM), which encompasses a variety of solutions focused on mitigating threats to mobile devices. These include:
- Loss of phones and other mobile devices
- Theft of private information if the mobile device is lost or stolen
- Annoying, unwanted calls and text messages
- Mobile viruses, malware and other threats
- Dangerous websites
- Harmful downloads
- Infected SD memory cards
EMM itself can be broken down into several more specific subcategories:
- Mobile Device Management (MDM): A centralized service aimed at controlling device configuration.
- Mobile Application Management (MAM): A centralized service aimed at controlling mobile applications and data.
- Endpoint Protection: A class of applications that provide protection to specific devices. Applications may be utilized with or without MDM and MAM solutions, but obviously, using them in tandem with such services offers the highest level of protection.
What is Mobile Device Management?
MDM is a centralized solution that is made up of several components including a service enrollment, a server component that sends out the management commands to the mobile devices, and a client component, which runs on the device and implements the management commands. In some cases, a single vendor may provide both the client and the server, in others, the client and server will come from different sources. Certain vendors, such as blackberry, include an MDM client on their devices.
Some of the ways that MDM can restrict device capabilities include disabling of the camera, control which apps it can run, as well as monitor and/or restrict network access. Configuration is applied via policies. In some cases the client software automatically enforces all policies and only allows access to enterprise systems if all policies are applied. Sometimes the MDM client software may only check for compliance but not apply the settings themselves. In addition to setting policies, the MDM service may dictate when a policy is applied. For example, geo-fencing may be employed so that a policy is only applied when the device is in a certain locations. Other policies may be time restricted so that they only apply during work hours.
Choosing an MDM Solution
Due to the overwhelming number of MDM solutions to choose from, it helps to consult with an industry-recognized source before making any decisions. Gartner publishes their Magic Quadrant assessment of MDM solutions every year. It groups the top dozen solutions as leaders, challengers, niche players, or visionaries.
Enterprise iOS also publishes a comparison of different MDM solutions.
Google Apps Device Management
All versions of Google Apps except for the legacy free edition support cloud-based MDM directly from Google. Perhaps surprisingly, it supports all device platforms, although it does offer more features for Android. For non-Android devices, the service uses Exchange Active Sync, a Microsoft protocol. Google's own implementation is called Google Sync. To use it, users must manually configure the Exchange Active Sync connection. For information on how to connect iOS devices to Google Sync visit this link.
iOS MDM Solutions
Apple introduced their own MDM API for iOS version 4 that also supports third-party MDM solutions. The MDM service notifies devices of changes in configuration using Apple Push Notification Service. Devices then connect to the MDM server, authenticate themselves, and proceed to download and apply the modified configuration. Administrators may create and manage configurations using MDM software or Apple Configurator, which is available as a free download for the Mac from the App Store.
OS-X 10.7+ server edition now incorporates an MDM solution, including the Apple Profile Manager, which allows configuration of both iOS and OS X devices. OS X Workstations incorporate the Apple Configurator. While not a full MDM solution, it does allow configuration of three main tasks relating to device profiles:
- Preparing initial device configurations.
- Supervising devices for unspecified users: Configuration and apps are applied to devices when checked out. Devices are then wiped when checked back in.
- Assigning devices to specific users: Configuration and apps are applied to devices when checked out. Settings and app data is saved when a device is checked back in. The settings and app data are then reapplied when the device is checked out again by the same user.
That concludes our overview of Mobile Device Management. Up-coming articles will cover Mobile Application Management (MAM) as well as Endpoint Protection.
Rob Gravelle resides in Ottawa, Canada, and is the founder of Gravelle Web Design. Rob has built systems for Intelligence-related organizations such as Canada Border Services, CSIS as well as for numerous commercial businesses.
In his spare time, Rob has become an accomplished guitar player, and has released several CDs. His band, Ivory Knight, was rated as one Canada's top hard rock and metal groups by Brave Words magazine (issue #92) and reached the #1 spot in the National Heavy Metal charts on Reverb Nation.