Choosing An MDM Solution

Right now there are several types of Mobile Device Management solutions.  They all have their place when you consider security and total cost of ownership.  Some of them are going to be much more secure giving more piece of mind.  Others are going to integrate into or leverage existing systems giving you piece of mind that you are not standing up an entirely new environment that also needs to be managed and secured.

We will be focused on MDM solutions that manage Android, Apple iOS, and Windows Mobile.  Blackberry is very well known for having one of the most secure solutions already.  Until a few years ago they were pretty much the only game in town when it came to phones carrying sensitive data so I’m sure they have been under heavy attack.  Very few issues have been published about the Blackberry solution and it’s not because it wasn’t a target.

Generally every solution out there is going to allow you to push email, calendar, contacts.  You will also be able to configure other features on the device such as wifi and VPN profiles.  From a security perspective you are able to force passwords on and enforce complexity.  Finally you can wipe out the work email, calendar, and contacts that you push along with any other settings like VPN and wifi.  Or you could decide to simply wipe the entire device.  These are the main benefits of having an MDM.  Without these abilities I.T. is going to be tasked with managing and supporting all of these devices which would be extremely time consuming.

Regardless of which solution you choose there is still some inherent risk today unless you use this solution in conjunction with something else.


This is the first type of MDM solution that made it’s way into corporate environments.  In a container system an application typically found on either iTunes or Google Play is installed on the device by the user.  When they sign into the app with their corporate email address and password the app finds the MDM server and synchronizes policies.  Once synchronized email, calendar, and contacts are synchronized to the device.  The stand out feature here is that these services are synchronized to the app that they downloaded.  
The upside is that you can now password protect that app, you can encrypt all of the data in that app, and you can remotely wipe out that app and everything in it.  Another neat feature is that within the app you may have a web browser where you can route all of the traffic for that web browser through your network.  This means that the users have intranet access from the outside.  If you were to wipe out that app and everything in it you would also have the benefit of leaving behind all of the users personal data.  So you are (somewhat) effectively isolating their work life from their personal life.  

The downside is that people don’t always like the app.  When they pay $700 for a device because they love the email, calendar, contacts, and web browser app it can be a tough sell to make them use something else.  You may say well too bad.  That’s the cost of running whatever device you want on the network.  In many cases we are seeing that argument does not hold.  Similarly to the way the argument to not allow these devices into the network in the first place worked out.  Also, similarly to the way that the Blackberry network works, many of the container systems also route all of the app traffic through the manufacturers network first then to your corporate network.  So if they’re down, you’re down.


This one is definitely the most popular type of solution today.  Again typically an application is found on either iTunes or Google Play and is installed by the user.  When they sign into the app with their corporate email address and password the app finds the MDM server and synchronizes policies.  Once synchronized email, calendar and contacts are synchronized to the device.    The other main difference is that the users are using native clients.
The upside is that their is a proxy server that sits in front of ActiveSync (or Lotus Traveler) which means that they only way into the network is through the MDM.  With only one way in the user must use the app to onboard themselves and download their policies before they get their data pushed to them.  is that the user gets to use their native email, calendar, contacts, and web browser apps.  So the user gets themselves on to the network which also means I.T. doesn’t have to be involved!  Finally users get to use their native apps.  You can still wipe out their work email, calendar, and contacts and leave everything else.
The downside is that there is a moderately higher risk in losing data.  If the user can save files straight from their work email to their SD card they probably will.

Out Of Band

This type of solution is typically found when an MDM manufacturer is getting into the game.  This architecture is similar to the rest in the sense that the user will probably sign in to an app and have policies pushed down to them.  The difference is that there is no proxy sitting in front of the email server.

The upside is that this solution will likely be a bolt on to another solution you already have.  Potentially an anti-virus console or other management console.

The downside is that without that proxy server users can easily bypass the MDM by telling their device to connect to the email server directly.  The workaround is a downside too.  What we have seen is that I.T. will  block everyone from connecting and manually provision each device.  This is very cumbersome and defeats much of the point.


This solution involves leveraging desktop and/or application virtualization for users to access data.  Rather than managing the actual mobile device, or any device for that matter, the desktop or applications that users use to access data are published from the datacenter.
The upside is that the device and Operating System they use is irrelevant.  The client device is used to display the application or Operating System in the datacenter, which is really accessing the data.  This means that all of the data stays in the data center, making this the most secure.

The downside is usability.  Displaying a virtualized web browser may work ok on a tablet, not likely on a phone.  Displaying a desktop OS like Windows or OS X, while possible, is terrible.

The residual risk of just using one of these solutions is data loss.  No matter what you do there is nothing stopping the user from emailing themselves a sensitive file.  Whether they are just trying to get some work done or are being malicious, if they email themselves the file to their Hotmail account that is also being synchronized on the device there is nothing to stop the sending or receiving.  Once received the data can be saved to the SD card.  It can also be synchronized to iCloud.  It could also get synchronized to their personal computer that is hacked every which way from Sunday.  Finally if there is malware on the mobile device (or personal computer) looking for what is in that file (Social Insurance, Social Security, Credit Card, Health Card, customer lists whatever) it will easily get sifted off.

*** This is a Security Bloggers Network syndicated blog from Insecurity authored by asdfasdfasdfasdf. Read the original post at: