Years ago, companies managed their devices manually and often using solutions allowing capabilities for device management activities. While these solutions allowed limited capabilities, they were instrumental in enabling a basic level of security and control over devices containing or accessing confidential or sensitive information.
Over the past decade, there has been a significant change in the use cases for device management; they are now more complex, and not addressing them can have very negative implications for companies. With COVID-19 playing a significant role in how companies enable IT services for their employees while most of them working remotely and with no direct connection to office resources, there are various questions in the air for a large number of companies, such as:
- How to centrally manage company devices and inventories?
- How to distribute and control software?
- How to enforce security policies and monitor device misuse?
- How to protect assets to prevent security breaches?
- How to enable BYOD environments without exposing the companies security posture?
In response to these and other questions, various companies have created solutions to enable versatile workflows for centrally managing company devices connected to the office network or through the internet; these solutions are known as Mobile Device Management (MDM) or Unified Endpoint Management (UEM). Mobile Device Management has evolved over the years and has moved to be available through on-prem or SaaS deployment, and can be used to manage a large variety of operating systems, including macOS, iOS, Windows, Android and others.
Here are some of the critical features that MDM or UEM solutions enable:
- Inventory Management: MDM enables companies to manage device inventories centrally, allowing IT and security practitioners to obtain a real-time view of devices enrolled in the platform. Considering that Asset Management has always been one of the most significant challenges for security, this is a powerful feature that enhances the security posture and allows better visibility into devices that need to be protected.
- Device Security: MDM allows IT departments to create custom security profiles to enable remote control and monitoring of mobile devices. From forcing full-disk encryption to tailored host-based Firewall rules, MDM can push very granular and specific security settings into any enrolled device.
- Software Distribution: One of the most significant pain points for device management is the software distribution and control; MDM allows companies to implement customized rules (Allow or Deny Policies) to use specific software. It enables the implementation of self-service libraries that users can utilize to install approved applications on-demand; it also empowers IT and security to control and monitor the installation of unapproved pieces of software.
- Policy Enforcement: Companies can use MDM to enforce compliance with security policies. Whether organizations allow personally owned devices (BYOD) or only company-owned ones, MDM can push specific restrictions to prevent security incidents. For example, based on the device type, a policy can be enforced to avoid access to particular company resources if the device is not compliant with the security settings (i.e., device not compliant with full-disk encryption).
- Administration: Certainly, flexible administrative options are needed to enhance the organization’s ability to manage the various device types used in more complex environments. Nowadays, organizations have a hybrid combination of operating systems connected onsite or offsite. While on-prem deployments can manage some devices, others required a cloud-based (SaaS) solution. Most MDM solutions offer both deployment types.
- Audits and Reports: From a security standpoint, having detailed reporting into device monitoring is crucial when maintaining a proactive approach to preventing security incidents and data breaches. The more powerful MDM solutions come with a mixture of multiple reporting capabilities that can tell companies the more granular details about how the devices enrolled in the platform are being used and can show trends in areas like patch levels, encryption, geo-location, and others. Having robust audit and reporting features is instrumental in monitoring compliance with internal security policies or external obligations.
Let’s think about the repercussions of moving all or most employees to work remotely. We need to consider the extra exposure brought to endpoint devices connecting company assets from many home internet connections. Before the COVID-19 pandemic, most companies would manage devices onsite either manually or by combining support from asset management tools. Even in 2020, it was common to find IT supporting personnel installing OS updates or updating security settings across 100+ devices manually. Of course, managing devices manually is not very effective, and adding the fact that those devices are now in employees’ homes makes it even more complicated.
During the beginning of the pandemic, I witnessed the transition of thousands of brick and mortar devices to home environments and the complications caused by this relocation. IT departments in large-scale companies had to move fast to enable cloud-based MDM solutions to keep companies secure.
Cloud-based MDM solutions enable remote control over mobile devices accessing company assets from internet connections. If a device is lost or stolen, MDM allows remote lock and wipe features to reduce the likelihood of a data breach. If we think about it, the device exposure risk significantly increased during 2020. However, the range of available solutions to deal with this risk has expanded and improved as well.
Here are some of the most popular MDM solutions currently available in the market:
- Jamf: Jamf is an MDM solution created specifically for Apple devices. It can manage iOS, macOS, iPadOS, and even tvOS. Jamf has proven to be one of the most reliable solutions for Apple ecosystems and provides different products suitable for other use cases. Jamf's recent acquisition of CMDReported enhanced the device-level logging capabilities and their integration with SIEM solutions.
- Microsoft: Microsoft Endpoint Manager allows companies to integrate Microsoft Intune and Configuration Manager to enable a more robust endpoint management workflow.
- ManageEngine: Mobile Device Management Plus can manage Windows, macOS, iOS, iPadOS, tvOS, Android Enterprise, OEMConfig, Chrome OS and Linux. It is available on-premises, as a private cloud-hosted, and as a SaaS offering.
- VMWare: Workspace ONE integrates application management, access control, and endpoint management into a unified platform. This solution results from VMWare’s acquisition of AirWatch in 2014 and its later evolution into a new platform capable of managing Windows, macOS, iOS, Android and Linux, among others.
- Cisco: Meraki Systems Manager is a versatile solution for Cisco Meraki network infrastructure; the management console enables Cisco-specific integrations like automated enrollment upon connection to the network, and certified-based security, among other features.
Gartner’s article Magic Quadrant for Unified Endpoint Management contains excellent insights into some of these tools, among others. The MDM technology has enabled secured home environments and better remote management capabilities, supporting risk reduction and minimizing the likelihood of security incidents and data breaches.
About the author: Gary Carrera is a Privacy Program Manager at Facebook. He has 14 years of experience supporting large tech companies in Information Security and Privacy programs, most recently at Facebook and Apple. He holds an MS in Business Administration and Project Management and CDPSE, CISM, CISA, CCSP, HITRUST CCSFP, ISO27001 among other certifications. The postings on this site are the author's own and don't necessarily reflect his employer's positions or opinions on the subject.
