The Ultimate Guide to SMB Mobile Device Management
Mobile devices are everywhere. GSMA Intelligence reports there are 5.22 billion mobile phone users globally, or 65% of the entire human population – from the C-suite executive constantly fiddling with her iPhone to your average grandma, who cannot get enough cat videos on YouTube.
Along with this flood of mobile phones, laptops, and tablets, has come unprecedented access to information, as well as productivity at a scale even the ancient Egyptians who built the pyramids would envy.
While these stats are impressive, for businesses, they represent a challenge that continues to grow in scale and complexity.
With more smartphones, tablets, and laptops in use at work, more work is being done on mobile devices, yet issues abound regarding the widespread use of BYOD (Bring Your Own Device) devices, as the following statistics indicate:
- 55% of companies say lost or stolen devices are their main BYOD security concern. (Help Net Security, 2020)
- 47% of companies do not adopt BYOD due to the challenges associated with controlling endpoint security. (Greig, 2020)
- 40% of security breaches in organizations originate from lost or stolen devices or equipment. (Dialpad Team, 2020)
- 30% of organizations have no way of protecting BYOD devices from malware. (Bitglass, 2020)
Add to the mix a business environment that is going remote, and you have a situation where business managers must grapple with the inevitability that most employees will access work resources from a mobile device, and in most cases, an unsecured personal device or in an insecure environment.
Enter Mobile Device Management.
What is MDM
Mobile device management (MDM) is a set of procedures, policies, processes, and technologies that allow a company to manage its employee’s smartphones, tablets, and laptops (mobile devices) remotely. MDM is the solution to creating a modern workplace that embraces mobile working without sacrificing security, productivity, or governance.
What is SMB MDM?
SMB MDM is the process of securing a small or medium enterprise’s mobile device assets through a centralized, simplified, scalable, and affordable solution. Unlike enterprise MDM, SMB MDM considers the limited resources such organizations have, including lack of a dedicated IT department, limited infrastructure resources like in-house servers, and the need for an affordable yet scalable solution.
BYOD and MDM: A Delicate Balance
According to a Cisco report, 95% of organizations (SMBs + enterprises) allow the use of personal devices for work in some way, shape, or form. At the same time, respondents said supporting security and privacy for multiple mobile platforms was the top challenge of BYOD.
Think of every employee checking their work email on a BYOD device while simultaneously playing Candy Crush.
Implementing an MDM solution, while imperative for SMBs, is in some ways more complicated due to the lack of robust governance controls and resources present in an enterprise setting.
Before delving a bit deeper into SMB MDM applications, let’s first scratch a bit below the surface of what MDM is.
MDM’s Core Purpose
MDM’s core purpose is to “optimize the functionality and security of a network of mobile devices while minimizing downtime and costs.”
As part of meeting this core mandate, MDM’s purpose or core functionalities can be expanded to include:
- Ensuring diverse mobile devices are configured to a supported set of applications, functions, or policies
- Updating hardware, functions, applications, or policies in a scalable manner
- Ensuring users utilize applications in a consistent and supportable manner
- Ensuring that mobile devices perform at a serviceable level
- Monitoring and tracking mobile devices (e.g., status, location, activity, ownership)
- Establishing the ability to efficiently diagnose and troubleshoot mobile devices remotely
MDM vs. EDM vs. EMM vs. UEM
The term MDM is quite well known, yet it is frequently associated, and in some cases, interchanged, with similar terms like Enterprise Device Management (EDM), Enterprise Mobility Management (EMM), and Unified Endpoint Management (UEM).
Aside from the confusing and alliterative acronyms, what’s the difference between these mobile device management approaches?
Before looking at the general differences, here are brief definitions of each.
Enterprise Device Management (EDM)
EDM is a fancy term for MDM with a focus on enterprise users. The term is a relic from the time when enterprise customers wanted more than simply basic device management. They wanted to include managing the content on the devices, besides other enterprise aspects like on-premises MDM (more on this later).
Enterprise Mobility Management (EMM)
EMM is a broader, catch-all term that includes the management of mobile devices, systems, networks, and other infrastructure and assets that employees use in a mobility setting. EMM brings together people, IT resources, infrastructure, and governance to formulate ways of integrating mobility into the core work ecosystem in a way that minimizes risk and accelerates productivity.
Unified Endpoint Management (UEM)
If EMM is a catch-all term, then UEM is a catch-catch-all term as it encompasses the management of any device that represents an endpoint. Such endpoints include printers, IoT devices, PCs, smart devices, Internet of Things (IoT) devices, smartphones, laptops, tablets – the whole nine yards. If a device represents an endpoint within a network, then it falls under UEM.
As you may have deduced, oh ye Sherlock Holmes, the main difference between these three types of device management is the scope. Depending on the use case, diversity of devices, and management scope, a company’s mobile device management policies might fall under any of these.
However, at the heart of all these is MDM. Regardless of whether you call it EMM, UEM, or EDM, the core principle is that they are all ways of managing mobile devices.
SMB MDM Features
While an SMB MDM solution might not be as robust as an enterprise one, it should have some basic features that tick the most critical checkboxes. After all, just because you can’t drop a few hundred thousand on a solution does not mean you shouldn’t get a solution that works for your company.
Here’s what to look for in an SMB MDM solution that will deliver results without breaking the bank:
Automated Device Enrollment
Automated Device Enrollment automates enrollment into Mobile Device Management and simplifies initial device setup. Automation is a crucial factor in MDM because it reduces the time and effort needed to enroll devices.
Multi-Platform Support (aka BYOD Support)
SMBs are more inclined to allow BYOD (it’s cheaper, after all), so an MDM solution that supports all major device platforms is a must. The most effective solutions support Apple (iOS), Android, BlackBerry, and Windows, making it easy to support various devices from a centralized command console.
Device Security Protocols
Device security is another core component of MDM. It offers security capabilities that control network access via VPN, store Wi-Fi passwords, restrict which networks can be connected to, enforce document passwords and a screen lock, and support malware protection. With hackers increasingly targeting SMBs, security is a must-have component of an effective MDM solution.
Access Control Capabilities
Mobile device access control is another crucial aspect of mobile device security. Since your employees will be accessing business data through their mobile devices, you need to ensure that only those employees can access them. To confirm that a mobile device is authorized to access sensitive business data, you need authentication and identity measures in place.
Over-the-air (OTA) Distribution
Modern MDM employs over-the-air distribution to send device configurations and update devices quickly and efficiently. One of the benefits of OTA is that it works hand-in-hand with automation. When configured to push automatic updates, the MDM solution can enroll devices, install apps and certificates, and enforce policies as soon as a device connects to the network.
Remote Tracking, Troubleshooting, and Wiping
When a work device gets lost or stolen, the last thing anyone wants is a criminal casually perusing through confidential documents and email. Good MDM makes it easy to track the phone and, if considered irrecoverable, allows the company to remote wipe the device. Additionally, MDM makes it easy to troubleshoot devices and push patches or other fixes remotely.
How SMB MDM Works
So far, we’ve covered the “what” of MDM, including its definition, how it differs from other types of device management approaches, and its core features.
Now, let’s shift focus to the “how” of MDM; how does MDM work?
MDM relies on three core components:
The server is where all the MDM policies reside.
The client is any mobile device connected to the server or network.
The management console offers an integrated view of all policies and devices and enables an admin to execute various commands.
Putting all three together:
- The admin publishes MDM policies to the server (e.g., device policy that encrypts a work partition on the mobile device)
- Using the console, the admin configures several commands to execute when specific requirements are met (e.g., when a new eligible device is detected on the network)
- The commands are published to the client (mobile device), executing the policies per stated parameters (e.g., encrypt the device but only the work partition and not the entire device)
The Server -> Console -> Client chain works well because it is based on a simple principle: Containerization.
Containerization segregates a part of a device or an entire device behind a set of security protocols. That part may be an application, a partition of the hard drive, or an entire work profile.
By creating a container, containerization enables a company to develop enforceable rules that govern that container.
Containerization works in the same way as putting a secure safe in an unsecured office. Although all the locks in the office may be weak or unlocked, if the safe is locked, its contents remain safe, regardless of how secure the office is.
Types of MDM Implementations
Companies implement MDM in a variety of ways, with three of the most popular implementations being:
Software-as-a-Service MDM is a widespread implementation because it cuts the setup cost, includes infrastructure management as a baked-in component, and generally costs less than other solutions.
For SMBs, SaaS MDM is especially attractive because it can be easily scaled up and down to meet demand. Moreover, if a company pays per device, its costs can potentially go up and down depending on the number of devices enrolled, making for an attractive proposition.
On-prem MDM deploys all the MDM infrastructure to the business’s premises. We are talking about all server and network assets set up and managed from the business’s premises. Along with these assets, the company requires dedicated staff to manage the assets and the entire solution.
While SaaS MDM also needs someone to deploy and manage the solution, on-prem is more resource-intensive. Only businesses with overly sensitive data should consider this solution approach.
Managed Service MDM (MS-MDM)
A managed service MDM approach provides an end-to-end MDM solution that minimizes the involvement of the contracting company. Whether SaaS or on-prem, a managed service provider brings in a specialized team with extensive experience handling MDM.
One of the key benefits of using a managed service solution is that such companies can help SMBs deploy sophisticated solutions without the SMB needing to make significant internal investments like hiring additional personnel or purchasing new equipment.
Types of Devices Covered by SMB MDM
Earlier in this guide, we mentioned that an effective MDM solution should have all-encompassing device platform capabilities.
Three of the leading platforms supported by most MDM solutions are:
iPhone, iPad, and Mac
You can manage iOS, iPadOS, and macOS devices using inbuilt MDM tools like Apple Business Manager and Apple School Manager that include Volume Purchase Program (VPP) and Device Enrollment. Both have a central console where admins can enroll Apple devices while managing licenses and applications.
Android Device Management
Android Zero Touch and Samsung Knox Mobile Enrollment are two options you have when enrolling devices or publishing managed apps to already-enrolled Android devices. Managed Google Play Store is another option that makes it possible to manage app installations and software licenses.
Windows Device Management
Microsoft offers MDM through its Azure Active Directory tool that allows identity and access management. Through Azure AD, a company can give employees access only to necessary apps. Azure AD can also be extended using third-party MDM solutions that utilize Azure AD IDs to identify and manage devices.
Benefits of SMB MDM
It’s clear that SMBs can benefit from MDM, but what are the specific benefits you can expect?
Let’s face it, BYOD is not going anywhere. MDM smoothens the kinks out of this transition, allowing even the most traditional firms to modernize their workforce while retaining robust policies.
Business IT security is a top priority these days. While you have a firewall and other security measures in place at the office, your work from home employees’ mobile devices may be exposed. MDM introduces mobile device security measures that allow you to extend your IT security right into the homes of your workers, so you always know your data is secure.
Controlled Mobile Device Environment
BYOD can introduce uncertainty, especially when it comes to the number of apps supported by each ecosystem. Not knowing the apps your employees are downloading or the websites they are visiting can cause IT panic (malware everywhere, ARGH!). With MDM, you can enforce which apps can be downloaded and include a secure browser that filters URLs.
Easier Remote Management
You are championing remote working, yet every time your employee’s device has an issue, they must come in and give it to the IT guy. That’s pretty redundant. With MDM, you can extend the power of remote working to your IT admin, so they can quickly troubleshoot, maintain, and fix your worker’s mobile devices, remotely. They’ll thank you for this.
Reduced IT Needs
Speaking about IT personnel, MDM significantly reduces your need or reliance on extended IT resources. For instance, if mobile device enrollment is automated, you do not need someone manually enrolling each device as it joins the network.
When there are so many devices to keep track of, it can become difficult to comply with governance regulations such as HIPAA and GDPR. MDM automates this process by publishing policies directly to devices and issuing updates to those that do not comply. Moreover, you can quickly push any compliance changes as an OTA update to all devices, effectively implementing them at the push of a button.
Challenges of SMB MDM
As with all great stories, there is always the flip side. While MDM has some compelling advantages, there are some challenges too that come with implementing the solution.
These challenges affect companies differently based on industry, company size, and internal factors like data security and access control.
Inherently, MDM takes away from the overall end-user experience. When overdone, MDM can compel users/employees to circumvent protocols, reducing the implementation’s overall effectiveness. The best way to ensure compliance is to sensitize end-users on why MDM is necessary and avoid overburdening them with overly restrictive policies.
BYOD is great, but not so much when you consider the device fragmentation levels you must face. Device fragmentation is a significant challenge for MDM from different mobile operating systems to different versions of mobile operating systems. Overcoming fragmentation involves creating OS type and version policies that ensure all devices are within a set of OS parameters.
While enterprise users have the resources to integrate MDM with other core systems, SMBs might fare differently due to relatively limited resources. SaaS solutions offer a viable solution to this predicament as they often provide ready-made integrations with popular platforms and tools. For more custom needs, some provide API access.
Mobile devices often act as a small window to a vast repository of data. A single compromised device can give an attacker access to your entire database. This single point of failure vulnerability means businesses must carefully assess access controls and mobile content management, including using the Principle of Least Privilege, so any compromised device does not bring the entire kingdom down.
SMB MDM Policy
What is an SMB MDM Policy?
An MDM policy outlines the rules and guidelines that govern the use of mobile devices in a company. A policy can be anything from a one-page document to a comprehensive multi page tome. Still, they each provide one essential benefit – they codify what you believe is the safest, most efficient way to allow your workers to use mobile devices at work.
In broad strokes, MDM policies are divided into four categories:
- BYOD – Bring your own device
- CYOD – Choose your own device
- COBO – Corporate owned, business only
- COPE – Corporate owned, personally enabled
The first and last, BYOD and COPE, are the most common as they provide a distinct yet workable option compared to the other two. Also, note that these are frameworks and not actual policies, so they should be adapted to each company’s specific needs.
BYOD vs. COPE
BYOD MDM Policy
Bring Your Own Device policies are widely implemented. An average of 67% of employees use personal devices at work. When done right, companies accumulate an estimated benefit of $300-$1300 per year from the average employee.
If implemented poorly, BYOD policies can prove problematic in the long run. Although most businesses only look at the upfront cost (your employees are footing the bill, yay!), the long-term costs in terms of potential data breaches, cyber-attacks, and data loss can be significant.
Other issues a business must address include finding a balance between enforcing BYOD policies and infringing on an employee’s personal space and rights. Although BYOD is considered a step up from having no MDM policy, it does require extra care to ensure all inherent risks are addressed.
COPE MDM Policy
Corporate Owned, Personally Enabled is a more effective way of implementing MDM as it strikes a crucial compromise between business and user needs.
In this scheme, the company purchases and maintains the device while allowing the employee some latitude while using the device.
This framework works more in its favor because it retains ultimate control over the device, a crucial prerequisite for an MDM policy to succeed.
Can you create a hybrid between BYOD and COPE?
For example, you can allow BYOD but restrict it to only mobile phones while enforcing a COPE policy for laptops. With such a compromise, you can go further and limit the apps a user can access on mobile (e.g., email and chat only) while allowing access to other work apps on the COPE laptop.
Hybridizing your policy will offer the best means of making meaningful tradeoffs between what you need and what is practical for your workers.
SMB MDM Policy Best Practices
Regardless of your implementation approach, your policy must include:
Businesses frequently undervalue passcodes, yet they act as the first line of defense against an attack.
In your MDM policy, enforce passwords in the following ways:
- Require two-factor authentication (2FA)
- Force time-based password updates
- Automatically log out on idle
- Forbid password sharing
- Provide and require the use of a password manager
Install Mobile Antivirus Software
Mobile antivirus software scans malware, detects potentially harmful third-party apps, and protects all ports from attacks. As part of your MDM policy, you should also issue updates from central control so all virus definitions always remain updated.
Enforce App and Firmware Update
Failure to update apps and firmware represents one of the most significant risks that mobile devices pose. In your policy, ensure all apps and firmware are updated as soon as updates are released. Again, centrally doing this will go a long way in providing all devices are updated promptly.
Block Rooted Devices
Rooted devices and “jailbroken” iPhones can easily hide malware, quietly slipping pieces of code into your network undetected. Since most rooted devices also have questionable software like custom ROMs and non-store apps, consider blocking them from joining the network.
Allow Only Approved Apps
Since 57% of SMBs already use mobile apps for business, allowing only approved apps prevents users from downloading and installing apps that the company has not vetted. You can enforce this by publishing a list of supported apps or using Google’s Managed Play Store to enforce only approved apps.
Block Public Wi-Fi Access
Employees accessing public Wi-Fi from work devices can expose them to sniffing and man-in-the-middle attacks. The MDM policy should include tools that disable or prevent access to public Wi-Fi networks, even when an employee tries to connect. You can also prevent devices from automatically connecting to public networks.
Force Data Backups
Not everyone will remember to back up every file and folder every day, manually. Spare your employees this mundane task by forcing periodic automatic data backups. Besides your employees sending you happy face emojis to say thank you, you will also ensure no data is lost.
Require Immediate Device Loss Reporting
If a device gets lost or is stolen, ensure employees report the incident immediately. In such cases, time is of the essence in either locating the missing device or remote wiping it. An unreported device in the wild can give an attacker access to crucial data that could be used in a spear-phishing attack.
Mobile Device Management is a powerful tool when wielded correctly. As an SMB, getting MDM right might involve using a managed service or hiring a consultant to offer onboarding insights.
Whichever way you choose to approach MDM, in today’s mobile-first world, MDM is a prerequisite of doing business.
As you review your options, weigh the pros and cons of different MDM approaches (e.g., BYOD may be sexy but is it suitable for your company?). Pick the solution that not only works for you now but can also scale as your business and the number of devices you manage grow.