When I talk to IT managers, we often discuss the grip they lack. Co-workers run around with privately owned laptops and phones, that differ in operating system, update pace and settings. IT managers can’t go back in time and tell their colleagues to stop bringing their own devices to the office, but at the same time, they need to come up with a solution that protects company assets wherever they are. Up until recently, Mobile Device Management was the weapon of choice, but does MDM really withstand today’s threats and innovation pace? In this article, we’ll explore different ways of dealing with device security, and discuss the rise of the -very promising- container app principle.
Mobile Device Management (MDM)
When it comes to remote access control, MDM is probably the most common way to do it. MDM stands for Mobile Device Management and means that a company (read you, the IT manager) installs software on devices to govern them remotely. This gives you the power to set rules for the users of those devices. For instance, you can impose them to log in by entering a pin code of six characters, of seven, or eight. You control updates, app upgrades, settings, user rights and, of course, IT security. Sometimes, you can even see which websites your users visit and who they’re calling.
Pretty creepy, right?
Because that’s the thing: MDM sounds like a solid security solution, but it’s also an invasion of privacy. Wherever your co-workers are; there you can be too, and that’s not fair. Besides, MDM makes it impossible to implement a Bring Your Own Device policy, because who’ll accept an IT manager installing an MDM client on their private laptop and phone? (I’ll give you a hint: no one). Therefore, MDM is only possible for corporate owned devices, and even then, it poses problems. You can’t standardise your MDM solution when you provide users with both Apple and Android, as they differ in operating system. MDM therefore makes it impossible for co-workers to choose their favourite device. And to top things off: even when you’re the one deciding which devices your co-workers can use, it’s very hard to keep up with the many updates on phones and laptops, which all affect the functioning of MDM.
Unified End-Point Management (UEM)
Clearly, MDM is not ideal in this modern world of Bring Your Own Device policies, updates, focus on privacy and freedom of choice. So, let’s move on to an often-discussed alternative: Unified End-point Management (UEM). This IT solution is meant to secure all sorts of devices and software versions. It integrates with the operating system and also offers Identication and Access (IAM) options. UEM helps you to signal threats, to assess their impact and to act upon them. Moreover, it also offers content and app management. Sounds a whole lot better compared to MDM!
However, as is the case with MDM, UEM doesn’t secure a thing. It only helps you check whether the settings are set correctly, which is not enough to protect devices and the network against threats. Besides, UEM may stand for Unified End-Point Management; there are many ways to circumvent it. Let’s say one of your co-workers owns a phone that allows him to store five different fingerprints, and he stores fingerprints of himself, his wife and his two children. Chances are high his family members will sometimes unlock his phone to, let’s say, look something up. This sounds harmless, but in the meantime, IT managers have no grip on the situation whatsoever, which is never good news.
To sum up, MDM can no longer keep up with today’s innovation pace and UEM (although a pretty good concept) falls short when it comes to actual prevention. Fortunately, there’s a third way of securing company assets, which takes a completely different route. App containers grow in popularity, as they secure assets instead of endpoints. They work like this: everything that’s company-owned (applications, content, e-mail) are put in an isolated container on the device, so there’s no interaction with privately owned assets. This means you can take any device with any operating system and create a secured vault that can only be accessed by the right person. For instance, as an IT manager, you can either allow face recognition, two-factor authentication, a password or a combination. You control the app; the user controls the device.
The embassy principle
I like to compare app containers with embassies. An embassy represents a country in another country and therefore falls under the administration of the country it works for. So, a Dutch embassy in the United States answers to the Dutch government, whereas the rest of the United States answers to the American authorities. The same goes for app containers: they fall under the administration of the company the user works for, but the rest of the device is his own. Second, there’s a hard cut between the two parts: company-owned assets such as contacts and e-mails are stored separately, and they aren’t automatically stored to, for example, iCloud. What I like most about this concept, is that it makes it easier for IT managers to take back control without getting in the way of their co-workers. There’s freedom, control and flexibility: a combination that’s desperately needed by modern companies.
Do you want to know more about the differences between MDM, UEM and app containers? Download our free white paper on Enterprise Mobility!