Sep 09 2021

5 Considerations for Mobile Device Management

Take careful steps when enrolling agency devices into unified endpoint management.

Mobile device management (MDM), also called enterprise mobility management or unified endpoint management, increases security by enforcing compliance with organizational policies on mobile devices.

1. Should my agency go on-premises or in-the-cloud for MDM tools?

With a cloud-first strategy, you’ll deliver a better service and experience lower overall costs. On-premises MDM may be required in certain circumstances; for example, if an MDM is tightly linked to an existing endpoint security product already running on-premises. If possible, use the cloud for this important (but not business-critical) function to save time and money. 

2. How do I balance agency security with individual privacy when using MDM?

For agency-owned devices, there’s no conflict: Don’t give up security on an agency laptop just because the user might also want to do some online shopping from the same device. For bring-your-own-device programs, think of MDM as an agreement with end users: In exchange for control over some aspects of the device, they get the convenience of having access to sensitive information on their personal smartphone. If they’re uncomfortable with that deal, then they can decline to participate in MDM — but also won’t be able to connect to the agency’s trusted networks or information systems.

3. With so many settings, where do I start when defining policy for MDM?

Focus on MDM policy elements that have a direct impact on overall security: device lock, app store access, password and biometric policies, and software patch and update settings. Those should be pushed immediately to everyone. Then, divide users into groups in the MDM console, including a group of early adopters outside of IT. Slowly incorporate additional MDM policies by pushing to early adopters first, then rolling out agencywide once you are confident there are no negative side effects. 

MORE FROM STATETECH: Explore best practices for BYOD agency telework.

4. How do I deploy MDM without touching every agency device?

Investigate “zero-touch” deployment options. For both Apple and Android devices, hardware resellers such as CDW can coordinate with hardware vendors so that devices automatically install basic configurations — including mobile device management enrollment — the first time they are turned on (or after a factory reset). This not only cuts deployment costs but also increases security for lost or stolen devices. 

5. How do I manage modern mobile devices with old software?

MDM works with a broad range of devices and OS versions, but old devices and out-of-date software can be a problem. Smartphone software is constantly under attack. That means keeping devices updated and patched should be agency security policy. Any device so old that it can’t run MDM software shouldn’t have access to sensitive data in the first place.