So you are looking for possibilities of making managed Android and iOS devices available to your users? Or your tasked with coming up with a new strategy for delivering a workplace for users? Whatever the reason is you started looking, you may have come over the terms MDM, MAM and EMM. In this blog I will try to give you a basic understanding of what these terms entail and in blogs following up to this one I will expand on this subject.
So what is EMM?
Enterprise Mobility Management (EMM) is an upcoming and alternative way of managing devices. The current, traditional way, of managing devices has several limitations. EMM is here to add flexibility and create a new dimension to delivering access to your company data. EMM is still not fully grown and a few problems still exist, I will get to this later. EMM was at first brought in to support mobile devices, but it has potential of becoming a lot more as vendors are adding functionality.
EMM is a collective term for Mobile Device Management (MDM), Mobile Application management (MAM) and Mobile Information Management (MIM). Each component solves a problem, is individually usable and compliments the others. I will briefly touch each component to give you an understanding what each component does later.
IOS, Mac OSX and Android devices do not allow for the traditional management methods. These devices are designed as user devices. This means the users are in control. We (IT) are able to add conditionally add and remove (security) policies and applications to enable work on the devices, but in the end the user is in control and is able to remove the company as a device manager. By doing so, it also means the user is no longer able to access company data. In this case the user is the one that has the Google, Apple or (public)Microsoft account thatâ€™s attached to the device. You are able to control the vendor accounts but I would recommend against this, users would no longer be able to download apps, if there is a public app update you would have to manually update applications on each device.
Mobile device management(MDM)
With mobile device management you can use the native APIâ€™s every OS has available. In short it gives you the ability to set policies and control devices. Some policy examples would be configuring wifi, or mail in the native mail app and blocking the use of specific apps. Examples of direct management are (selectively) Wiping or locking a device.
A device is enrolled into your MDM, and is managed by it. You will not see it in Active Directory unless you apply a specific policy for it. The MDM attaches the device onto a user and based on the user it sends over the policies you have defined.
The operating system itself is not actually trusted, not like Active Directory. MDM only adds a device manager identity to the device, which allows IT to send over policies. All data that is made available, has to already be accessible. This brings me to the limitations part of MDM.
Like I said before, MDM only uses native API’s. This limits in the possibilities to make company data accessible, for these purposes you can add the MAM component. For example:
- VPN: The native API’s allow for VPN functionality. This tunnels the entire device to the internal company network. You could then use applications that require the internal network to be present. A lot of companies however, do not allow untrusted devices to have access to the internal network. MAM gives more granular control over what applications enter your internal network by giving you a “per app vpn” feature.
- Mail: When you configure mail on a device trough MDM, you are able to make the device compliant to the policies. You do not however control where your company data goes to on your device. Employees may loan the device to their children to allow them to play games on it. Although your policies are active, you are never completely able to say if the device is compromised. MAM allows you to control the flow of your data between apps and enables you to set an extra authentication to your company data apart from the authentication to the device itself.
- Application deployment: You are able to deploy applications, you are unable to configure applications after deployment. If the application requires a connection to the internal network, the application should have the functionality or you could configure a full VPN tunnel.
You could purely use MDM in the following example:
- You plan to enable the users to use company mail or distribute company applications on a wide array of platforms.
- You are able to meet the security directive by:
- Making the device compliant trough native API’s;
- You are not required to separately encrypt company data from user data;
- You are not required to control the dataflow on the device;
- You(IT) wish direct control over the devices;
You can complement the other EMM components when these are included in your requirements:
- You (IT) wish direct control over the devices which are able to access data by being able to lock or wipe the device;
- You want to make the device compliant to security directives
Mobile application management (MAM)
MAM is here to add more granular control on data and applications. It is able to create a virtual container on the device and control the flow of data in the container. It enables you to specify functional or security policies for an application. Policy examples could be blocking the camera when you start an application or to set the company homepage in the browser.
Aside from this MAM also enables you to create a micro or a per app VPN. This VPN is only usable by the application.
- Policies: You are unable to send policies to the device, this requires the MDM component.
- Custom apps: Vendors wish to enable you to configure application policies to (for example) control dataflow for applications and add VPN functionality. For these reasons vendors choose to develop their own apps which have similar functionality to the Microsoft office. These however may not perform the same way office does and annoy users with its limitations. Some vendors are able to work around public app limitations, but several configuration problems remain.
I will touch MAM in more detail in a separate blog.
Mobile information management (MIM)
Also known as Mobile content management. MIM has a specific use case. It enables users to access storage from any location on any device. With MAM you can control the flow of the data to MAM office applications, Without MAM in most cases the data is either available to the entire device or available with less functionality attached.
You could see MIM as a company dropbox. Company data access is usually provided an internal file share or a storage location in the cloud. Access to the company data is usually manageable trough the MIM software and AD or Azure AD.
I will touch MIM in more detail in a separate blog.
EMM versus the traditional endpoint management
In the table below I summed up some aspects that you have dealt with before. EMM has a different mindset and thus some aspects work differently. Sometimes thereâ€™s a good reason for it, sometimes there are limitations.
|Component||Traditional endpoint management||EMM|
|Policies||You are able to manage the user experience trough a comprehensive set of policies||You are able to enforce device compliance trough native APIâ€™s software vendors make available.
– Not every vendor has the same APIâ€™s
– The amount of policies are not as comprehensive as Windows Policies
|Provisioning||You have granular control trough managing patchlevel, generic applications and specifying custom settingsÂ on how an endpoint is provisioned for the end user.||The provisioning of devices in EMM consists of either vendor provisioning programs or enrolling user devices.
You are able to specify requirements for compliance and base data access on this and drop access when the device fails compliancy checks.
– You have no control over applications other then the ones you provisioned
– You are unable to stop an OS from updating
|Application Management||Through a variety of tools you are able to distribute software. You have, in most cases, no or a limited amount of ways to control the flow of data. There has been no need for it. The security measures in place protect the entire device.||MDM & MAM are able to deploy applications. MAM gives an extra layer of granular application control. You are able to specify separate compliance policies for applications and have control over data flow.|
|Patch management||The IT department has a variety of tools to control patch levels of the OS and applications. In most cases IT is responsible for Patch management.||There is no, or limited control over the installation of OS patches unless an EMM vendor specifically offers this function. You are, however able to set compliance rules and allow or disallow access to company apps and data. The user is responsible for updating his or her device!|
|User profile||The users personalized settings roam from device to device||There is no user profile management in place other then what the vendor provides.|
|OS trust||– Devices require direct access to Active directory and the internal network to access resources.
– As a user you are able to roam from device to device (if you have the permissions).
– If credentials are compromised, attackers may be able to connect to other devices on the network.
|The user is only able to access company data through the device it has enrolled with.
– MDM does the direct authorizations. Â Usually MDM works with AD to determine authorizations.
– Users do not automatically have access to other enrolled devices. If a device is compromised, attackers cannot hop from device to device.
|Device management||You have direct granular control over your devices.||The EMM software is required to contact Microsoft / Google / Apple notification servers in order to contact devices and supply them with instructions. Instructions could be locking or selectively wiping a device.|
|User freedom||Typically users are not allowed to install applications. Users use the applications provided by the company.||Having the ability to separate company apps and data from user data, the user could be given more freedom on te device (While still meeting company requirements).|
|Operating system support||Windows||Depending on the EMM vendor, all popular and recent OSes.|
|Support||Could become complex as you customize your environment to fit your needs. There is only the Windows OS you have to support.||There is a lot of standardization, and a lot is open for the user to customize. So a lot is left to the user. Support does become more complex based on the number of operating systems you support. Google, Apple and Microsoft are regularly updating their OS and so thereâ€™s the possibility of the EMM vendor of bringing their updates and you (IT) have to distribute the update within your environment.|
|Security||An array of possibilities. As Windows OS has been around, an array of security tools are available:
– Privilege management
– Patch management
|EMM has a variety of controls available to ensure company data on the device is safe.
– Design: As the OS is not trusted, if a device is compromised, only the data on the device itself is compromised. The attacker has no way of jumping to another system.
– Separate company data: MAM gives you the possibility to separate company from user data and adding an extra authentication to access company data. If the device is compromised, the company data is still separately encrypted.
– Compliance: With MDM you are able to set compliance rules to rooted and jailbroken devices and specific security components on the device (ex: device pin/ encryption). This works similarly to anti virus: there is a detection mechanism that checks several components based on what it knows. If a â€œroothiderâ€ has a new method, it might not be detected right away.
– Anti-virus: Some MDMâ€™s scan devices for malicious apps / code
What are you getting into with EMM?
Touching each OS and enabling a complete office experience could increase the workload on support. EMM vendors work really hard to decrease the load, but you still have to keep an eye on the situation. Device vendors like Google, Apple and Microsoft frequently update their OS to add functionality or to patch security holes. This could mean the EMM vendor also brings out updates in order to keep their device agents or individual apps working correctly. This in turn requires you to rollout the update the vendor supplies to you, not doing so could result in the apps no longer working. EMM vendors are working on mitigating this problem tough. Citrix for example publishes the applications in the public app stores. Through their MDM you are able to manipulate these applications to fit your requirements. The benefit for customers is that Citrix maintains the applications.
Laat uw gegevens achter en wij zullen zo snel mogelijk contact met u opnemen om uw vragen te beantwoorden.