We do not need so much mobile control
Barry Scott reckons there is less need for full, mandated, mobile device management
More people than ever are using their personal smartphones for work. The good news for companies is that employees tend to be more productive, more efficient and happier to be using something they are familiar with and not juggling multiple devices. The bad news is that proprietary business data is increasingly at risk.
To solve this problem, companies may have purchased and deployed mobile device management (MDM) products with a view to securing the applications and data on smartphones and tablets that employees bring to work.
Yet this solution may not work much longer, given the growing concerns about user privacy. At the same time, mobile device operating systems are starting to deliver much better security for both privacy control and data protection.
Employees are starting to rebel against MDM, which has nearly complete control over the device. Users either accept that so they can access company resources and data, or they just don't use their own devices at work.
The problem is that the mobile device must enrol with MDM, and accept the policies that the IT department has instigated.
This allows them to control critical aspects of the device and provides the necessary privileges for issuing remote wipe commands if the device is lost or stolen, including the ability to request a full list of all the applications installed.
Those applications might reveal a lot more information than someone might care to share, such as personal hobbies, religious beliefs, marital status, or even sexual preferences.
This is far too much information for IT to be handling. Yet IT departments, following on from their policies for laptops and PCs, have been conditioned to want to control which applications are installed and to prevent users from installing anything that they have not explicitly approved.
But on mobile devices this control is not necessary, as long as the devices are not jailbroken or rooted, which turns off the built-in application isolation technology built into the mobile operating systems.
The MDM really only needs to check the device has not been compromised; MDM does not need a full inventory of applications installed, only of the business applications it has installed itself.
Some MDM offerings do provide the administrator with more granular controls, so they can selectively wipe and secure parts of the device. But the fact remains that employees have concerns about the lack of privacy on their personal phone and that personal information - photos, applications, contacts, and so on - may be at risk when the phone is wiped.
There is a better way to protect business information and applications without giving full control to IT staff.
Both Samsung and Apple are pioneering ‘container' offerings that isolate business information from personal apps and data. These containers are built into the mobile OS to ensure that business applications and data are secured in line with business requirements.
Apple provides a virtualised container environment, which can be turned on via its management controls. Managed accounts and apps can be configured to share data while protecting that data from any of the other personal applications the user has installed.
When the management system removes the managed accounts and managed apps, it removes all business data including email messages, attachments, files and data that these business apps may have downloaded or cached on the device.
All this is done without changing the user's experience on the device.
Samsung has built on SE Android to secure devices, applications and data, as well as provide a secured container to separate personal 'spaces' from work. IT can control the applications and accounts used within the container to protect business accounts, attachments and data.
So the need for full MDM capabilities - and all the user concerns about them - is disappearing fast. Users only need to register their device in order to have business applications and accounts configured within these containers. IT can then provide access to the business without dictating security policies over the whole device.
Cue happier employees and IT departments.
Barry Scott is EMEA technical director at Centrify