On-Boarding and Off-Boarding Mobile Devices – CompTIA Network+ N10-006 – 2.3


Our mobile devices are usually owned by the user, but managed by the organization. This shared ownership of device and data can create a number of policy and technology challenges. In this video, you’ll learn about user acceptance policies, mobile device managers, and some of the important aspects of on-boarding and off-boarding mobile devices.

<< Previous: Configuration ManagementNext: Network Access Control >>


In recent years, our network and security teams have had to deal with a new challenge with mobile devices. Users are owning their own mobile phones and tablets, and they want to use them for work inside of your organization. So now, we need to deal with the challenge of separating user information from corporate information, and what you do when a user is onboarded to the network, and what you do with that equipment and that data when the user leaves the organization and they are offboarded in this video, we’ll look at some of the ways that you can manage this process of onboarding and offboarding these devices.

The first place you start with these mobile devices is with some very well defined policies. If you are bringing this device into the network, and it’s going to have your corporate or organization’s information on it, then the device needs to be managed and controlled by the organization. Users have to agree to allow you to have some control over that device so that you can make sure that your organization’s data is safe.

Fortunately, a number of technologies have been created so that you can easily manage these many different mobile devices. And it’s through a technology called a Mobile Device Manager, or MDM. This is a way of connecting to the mobile device from one central management console, and controlling and managing almost every aspect with the way that mobile device works. That way, you can define some very specific corporate policies, and then apply those policies through the technology used in the Mobile Device Manager.

Your organization probably has an Acceptable Use Policy, or an AUP, for these devices that you have on your desk. When you’re working at your computer, these acceptable use policies define what you can do on that device, what you can go to on the internet, and how you’re able to use that device for both work and personal use.

But it’s not so clear-cut when we talk about these mobile devices. The devices are owned by the user. They’re brought into the workplace during the day. And they’re taken out of the workplace during the night. And while they’re outside the workplace, they’re a personal device with personal data and corporate data combined on the same device. That’s why there is generally an acceptable use policy also written for these BYODs– these Bring Your Own Devices. And you have to have a well-defined delineation, so that when people are using this device for personal use, that it falls under the acceptable use policy for these mobile devices.

There are thousands of mobile phones and tablet devices to choose from. One of the challenges for the IT department is that you want to be able to support as many of them as possible, but still be able to manage and control the information on those devices. So generally, an organization will create a list of approved devices. If you have this particular device, that is, this particular model, we can support it through the IT department. You would then be able to support these devices through the Mobile Device Manager.

The MDM itself may have a certain list of devices and models that it supports. And that might help you create the approved device list for your organization. The MDM also as limitations on how many devices it can support, and how it’s going to support those over the network connections.

You have to, of course, purchase the Mobile Device Manager. It has to be installed. This is not a simple checkbox install. There very complex processes in place for the Mobile Device Manager to talk securely to the mobile devices, especially over different operating systems. You have to get trained in this technology. There’s ongoing maintenance costs. So an MDM is generally a relatively large investment to make, not only in the equipment itself, but the people to be able to run it.

These mobile device managers also have to be able to communicate to any of these mobile devices wherever they might be in the world. It’s easy to communicate to a device that’s on the inside of your network. But because so many of these mobile devices are outside of the network as well, you have to make sure the MDM has access to the internet, and can communicate through your firewall, so that you’re able to manage these devices.

Our mobile phones and our tablets are very personal devices. They’re generally used by one person. And the information that we have on these devices can be very personal and very private. So we now need to set some clear delineation over who owns the data, and who has access to the data on that mobile device.

Some of the data is going to belong to the organization. But some of the data is also going to belong to the individual. And because of these differences in data types and who owns them, you have to set up some clear policies on how you handle that data when someone is brought onto the network, and when somebody leaves the network.

That’s where you go back to your policies– to help understand who does own this information, and how do you set policies on what happens to the data when somebody comes onto the network and the device is managed by the organization, and what happens to the data when somebody leaves the organization. Your policy might be that when somebody is added to the network, that everything on that device is owned by the organization. And if somebody was to leave, your policy is to completely erase everything on that device.

Many Mobile Device Managers, though, can give you a middle ground. They can segment off a section of the mobile device to be used for the organization, and leave the rest of the device available for the user’s data. The organization would have access to anything inside of that box of information, and it would not have access to personal data that’s also on that mobile device. That way, when somebody comes on board, you can create that segmentation, and have all your organization’s data inside of it. When somebody leaves the organization, you simply remove the box. You remove that segmentation, and only delete the data associated with the organization, leaving the end user’s data completely intact.

Now that the organization has added this mobile device to the mobile device manager, the support now becomes the responsibility of the organization. Usually, a company is setting policies on this device. They’re able to turn on and off the camera. They’re able to allow or disallow certain applications and data from being installed on the device. And if anything happens to that device, the first call should then be to the organization’s desk, not to the wireless provider.

With the Mobile Device Manager, the organization has a lot of control over that device. They can choose to allow or disallow any type of data. And if anything needs to be erased, they simply click a button inside the Mobile Device Manager, and that information is removed from your device.

There’s usually a formal process for onboarding and offboarding these mobile devices. Generally, it’s one where you are, indeed, carving out a small section, or segmenting off a section, of that mobile device that’s just to be used for corporate information. That way, if you do need to remove this device from the network, it’s easy. Just remove that little section. But some organizations prefer a policy where you are removing everything on the mobile device. And if you’re dealing with very sensitive information, that may be the only way to really be assured that everything is removed from that device.