Most folks in charge of managing mobile devices in an enterprise environment know about mobile device management (MDM). We’ve talked about it on this blog a few times before, and it’s a great foundation for launching mobile initiatives within an organization. MDM has many features that allow you to auto-configure device settings, install corporate applications, and monitor device usage (including the ability to lock out certain built-in features, like camera access and the device’s public app store). However, MDM gets a bit heavy-handed when you begin to consider a bring-your-own-device (BYOD) program, allowing employees to use their personal devices for work. This is where a mobile application management (MAM) provider can help to raise your mobile strategy to the next level.
Dissecting MDM — A 30,000 Foot View Let’s start out by taking a look at what MDM does at a high level and then see where it starts to fall short. MDM is simply a policy distribution portal. IT security policies, bits of device configuration details written into a digital file, are stored in the MDM server and pushed out to devices when they enroll. Once these policy files are installed, the device reads from them to adjust its configuration settings accordingly. Then, the MDM app on the device makes periodic calls back to the MDM server to report its current status and checks to see if any policies were updated in the meantime. If a device is up to date and has all policies and configurations in place, it’s considered compliant and free to keep working. If not, the MDM system goes through its scheduled list of events for non-compliance, and depending on the severity of the non-compliance issue, could lead to the remote deletion of all data on the device.
With corporate-provisioned device programs, the organization can limit support to a small selection (often under a single platform), meaning better support for maintaining MDM security and feature parity across supported devices. This is an important distinction because device controls afforded to MDM vendors rely heavily on application programming interfaces (APIs) provided by the device manufacturers. This fragmentation of security and control capabilities across platforms makes it considerably difficult to map vulnerabilities to devices in use, let alone communicate to employees why there may be a discrepancy in support levels for device ‘X’ compared to device ‘Y’. Many unfamiliar with this issue often assume an MDM in place means a BYOD program opens the door to any employee-owned device so long as it meets a supported operating system. Unfortunately, that’s just not the case.
In addition to the fragmentation of feature support across platforms, the nature of the API controls coming from the device manufacturers make basic MDM functions highly commoditized. The main difference between competitors usually ends up being the time to market for incorporating the latest API changes. This has led many MDM vendors to create value-added services around their MDM offerings — like enterprise app stores for internal, private app distribution — in order to remain competitive. So, while many MDM vendors offer the ability to distribute apps within the organization, the approach to developing the app store features and functionality are an afterthought to the main business driver — device management.
Finally, placing a device under management gives the MDM system control of the device. It’s pretty much an all or nothing kind of deal. This brings into play the ethical question of how much control an employer should be able to enforce on a personal device. In the case of contracted employees — particularly for IT contracted resources, it might be possible that their device is already under MDM control with their management organization, and a device cannot enroll with more than one MDM system at a time. When considering part-time employees using their mobile devices for work, companies have to manage access to company resources to prevent part-time employees from working during off-hours, protecting HR from unwarranted over-time requests and protecting employees’ rights to compensation for time contributed.
How is MAM Different? The short-comings of MDM stem from trying to enforce control of employee behavior at the device level, and when each device is so different, how can you effectively manage that control in a BYOD environment? Moreover, should you be doing so in the first place? MAM looks to remedy those issues by moving the security and access control points from the device level to the app level. At this granular level, IT can enforce different levels of security requirements for different business functions through the apps that are accessing the data. Corporate information stays separate from personal information and the company can protect their data while preserving the privacy of the employee. Also, since everything happens at the app level, there’s no concern over conflicting with another MDM agent. MAM apps can be installed on any device, provided the application is compatible with the device operating system.
Many enterprise app developers have partnered with the leading MAM vendors to bring tight security and app management control features to existing apps. So, check with your software vendors to see what MAM providers they already integrate with if you’re considering migrating to an MAM system. If your company develops its own apps, MAM vendors supply an integration software development kit (SDK) that allows your internally developed apps to tie into standardized security and app management control mechanisms. In addition to the programming SDKs for MAM integration, many of the leading providers offer additional APIs to help you track app usage/analytics, as well as built-in crash and bug reporting.
Since app deployment, development and distribution is the focus for MAM vendors, the app store experience tends to be more mature than what is offered by MDM vendors. Social media integration and ratings systems for app discovery, simple auto-configuration for app settings, and ability to distribute a private app store without requiring MDM enrollment makes the whole process to get employees up and running on a new app much more streamlined. While MAM isn’t a silver bullet to managing your mobile workforce, it does provide a much lighter-weight approach to enabling your employees to leverage personal devices in the workplace while still maintaining a tighter level of security and control over corporate data without housing the added infrastructure of an MDM deployment. Just one more item to consider for your mobile management toolset.