Most organizations must manage hundreds or thousands of mobile devices. In this video, you’ll learn about mobile device management (MDM), device ownership options using BYOD and COPE, data synchronization challenges, and managing business applications.
If you have an organization and you need to manage all of the mobile phones used in the organization, then you need a Mobile Device Manager, or MDM. This allows you to manage devices that may be owned by your company or devices that are personally owned. This would be a BYOD, where someone is bringing their own device to use at work.
When that occurs, you need some way to be able to centrally manage all of your mobile devices from one place. This is a relatively specialized function, and so you need specialized software to be able to do this. An MDM allows you, as the system administrator, to set certain rules and parameters on how these mobile devices are used. So you can set policies on which applications are allowed or not allowed. You can configure or disable functionality of things like your camera or GPS and effectively control almost every aspect of these mobile devices.
This also allows you, as a company, to set up a partitioned area on someone’s personal phone for use by the organization. This allows your users to have their own private data that is protected and private to them and have a different part of the phone that is partitioned off just for corporate data. And from a security perspective, you can require the use of certain security policies. For example, you may require everyone in your organization to use screen locks, and those screen locks need to have a personal identification number or other type of access in order to unlock that phone.
BYOD is a interesting challenge for organizations. This, of course, stands for Bring Your Own Device. You may see this also referred to as bring your own technology. The employee owns the phone, and since they already have a phone, this simplifies things for the employee so that they don’t have to carry around two different mobile devices. But we need to have some way to protect the company data that is stored in that phone and to make sure that all the user’s personal information remains personal and private.
This allows you to configure from the Mobile Device Manager what part of that device is home or private and what part of that device is used for work purposes. You can also set different parameters for how the data is protected on that device. And you also need to set policies on what happens to the data on that device if the phone is upgraded, traded in, or if the phone is lost.
Some organizations don’t allow user phones to be used inside of the company. Instead, the company will provide the phones through COPE. This is Corporate Owned, Personally Enabled. The company purchases the phone, they assign that phone to a user, and then they manage that as a corporate device. Although the corporation does have full control of that device, in many organizations, they allow the user to use it as a personal device as well. Since the company has purchased the phone, they have complete control over the phone, and they manage every aspect of how that particular device is managed.
This is very similar to how organizations might manage laptops, desktops, and other computing devices. The company determines how information is stored on the device, what type of information is stored on the device, or perhaps, more importantly, what happens to that data if the device is changed out or if the device is lost.
Some organizations will add some flexibility to the process and allow the user to choose from a selection of devices. We refer to that as CYOD, or Choose Your Own Device. Having management of all of your mobile devices from a central MDM policy screen provides a lot of flexibility and saves a lot of time. For example, you can configure your corporate email settings on the Mobile Device Manager. That’s pushed down to everyone’s phone, and so they don’t have to make any changes at all to gain access to their inbox. They simply turn on their phone, and everything works as it should.
The security team may decide that they would like additional security on these mobile devices since they are outside of the company and can be lost easily, so they may require things like two-factor authentication, and they can specify what type of multifactor authentication they would like.
And from the MDM, you can determine what applications are allowed on that device, if there are certain applications that are forbidden to be installed on that device, and you can even push those applications to be installed automatically.
Here’s a view from an MDM console. We can see that we are looking at a number of devices inside of the organization. We can see the device name, the platform that it uses. We can see usernames associated with that phone and even the email and contact information for the phone. And if you need the IMEI, which is a unique identifier, that’s also listed in the Mobile Device Manager.
You can drill down on one of those devices to get more information about it. For example, this is an Apple iOS device, specifically an iPhone 13. You can see the version of iOS that’s being used. We also have information about the operating system running on that device, different device security options that may be enabled or disabled, and you can see the network summary that’s currently in use for that particular unit.
If we click over on the Restrictions tab, you can see all of the settings that you can enable or disable since you are the manager of this particular phone. You can enable or disable the camera, FaceTime. You can change if voice dialing is enabled or disabled. If you want to get rid of Siri, you can turn that off inside of the MDM. And different security options, printing options, and application options are also configured from this Restrictions screen.
The MDM also allows you to configure how this device will be synchronized over the air. Since these devices are rarely plugged in to a central facility, we need some way to back up the data that’s being stored on these mobile phones. Some of these settings are already preconfigured. For example, your telephone information and messages is something that we know will always be configured and set up on these devices. But different organizations might use different types of email. One organization might use Gmail; another organization might use Microsoft Outlook.
Each organization does things a different way with different settings. And so the MDM allows you to have all of those configured in one central place. It also allows you to turn on how the data will be synchronized. You can specify whether data will be synchronized over the Wi-Fi network only or if it will use the cellular network as well. This is also important for understanding how this data will also be restored if this device fails, is damaged, or you need to replace it.
You can also get into the granular settings of the synchronization. For example, you can specify what specific types of data will be synchronized. Will we synchronize calendar settings? Will we synchronize contact details? And we may want to even change how the data is going to be synchronized at different times of the day. For example, some organizations may not want to use the cellular network due to cost limitations. Maybe you can only synchronize this data if it’s on an 802.11 or local network.
Fortunately, most of our mobile devices have settings where we can specify how much of the cellular network can be used and for what purposes. You want to check with the contract that you have with your cellular provider to see how much data would be allowed over this network and at what particular time. And you, as the administrator, could configure, for example, if automatic downloads are configured, and if they are configured, what size applications can be downloaded over the mobile network.
When you’re setting up business applications on these devices, you’re often configuring things like Outlook, email, cloud storage, and other services. You would commonly set those up in the account setting of that device, where you would need to provide a username or password or some other type of authentication factor. From there, you can get even more granular control over exactly what will be synchronized, and you can choose mail, contacts, calendars, reminders, notes, or other settings. You can also set this up to be different from other services. So your synchronization settings for Microsoft Exchange might be very different than the synchronization that you configure for Google Mail.