2. How do I balance agency security with individual privacy when using MDM?
For agency-owned devices, there’s no conflict: Don’t give up security on an agency laptop just because the user might also want to do some online shopping from the same device. For bring-your-own-device programs, think of MDM as an agreement with end users: In exchange for control over some aspects of the device, they get the convenience of having access to sensitive information on their personal smartphone. If they’re uncomfortable with that deal, then they can decline to participate in MDM — but also won’t be able to connect to the agency’s trusted networks or information systems.
3. With so many settings, where do I start when defining policy for MDM?
Focus on MDM policy elements that have a direct impact on overall security: device lock, app store access, password and biometric policies, and software patch and update settings. Those should be pushed immediately to everyone. Then, divide users into groups in the MDM console, including a group of early adopters outside of IT. Slowly incorporate additional MDM policies by pushing to early adopters first, then rolling out agencywide once you are confident there are no negative side effects.
4. How do I deploy MDM without touching every agency device?
Investigate “zero-touch” deployment options. For both Apple and Android devices, hardware resellers such as CDW can coordinate with hardware vendors so that devices automatically install basic configurations — including mobile device management enrollment — the first time they are turned on (or after a factory reset). This not only cuts deployment costs but also increases security for lost or stolen devices.
5. How do I manage modern mobile devices with old software?
MDM works with a broad range of devices and OS versions, but old devices and out-of-date software can be a problem. Smartphone software is constantly under attack. That means keeping devices updated and patched should be agency security policy. Any device so old that it can’t run MDM software shouldn’t have access to sensitive data in the first place.