In my time spent writing and talking about about iOS, Android, MDM, MAM, and all the other things that make up enterprise mobility management, I hear a lot of questions about those new technologies. Most of the questions are reasonable, but sometimes people have pretty high expectations about what EMM technology should be able to do, and are then disappointed when there’s no good answer. (Or they just outright dismiss the value of EMM.)
It’s not surprising that this happens. There’s a lot of marketing hype and promises being made by vendors, and at the same time most companies aren’t using any EMM tools yet. There just isn’t much of as established baseline for expectations.
Nevertheless, the reality is that many of these seemingly crazy issues that people bring up with EMM are really problems we’ve been facing for years, and will continue to face forever. This doesn’t mean that EMM is good or bad—the exact same thing can happen with any new technology (just look at all the issues that are coming up around DaaS).
For this article I’ve put together a list of common EMM issues and questions. Sometimes these seem like they’re hard questions to answer, but again my point is that in reality, most of these are issues that we have to to deal with no matter what.
“I want a solution that will let my users choose any device and any app, but still keep my data 100% secure.”
We all know that security and accessibility are at opposite ends of a spectrum, and EMM has to deal with that just like any other technology. To serve one goal, we have to compromise on the other. For example, look at mobile app management: today we pretty much have to deal with either a specially modified app or a special device. That goal of any app on any device with complete security just isn't very realistic.
Like the old joke goes, the only secure secure device is one that’s powered off and buried in six feet of concrete in an undisclosed location.
“There’s no MAM-secured version of Evernote!” (Or OneNote, or DocuSign, or <insert app name here>)
This is true. Unfortunately thanks to consumerization, we don’t get to pick what users use. All we can do is offer the best functionality we can via apps we can secure and hope that that entices our users to use them. But if a user wants to fire up their personal Gmail app and send some thoughts about work to a colleague, there’s not much we can do about that. In other words, while we can have control over how institutionally-created data is disseminated, we can’t have any control over user-created data. We just have to pray for data ingestion.
“Apple and Google aren’t ‘enterprise’ companies. We can’t trust corporate data on their devices.”
The same thing goes here. It doesn’t matter whether or not we consider something to be appropriate for the enterprise—thanks to consumerization, we don’t get to pick which devices our users use. Instead, we get the task of figuring out how to securely extend enterprise resources to all these different platforms. (And figuring all this out is good for job security, too!)
“What if someone jailbreaks or roots their phone and completely goes around our management?”
Many vendors claim to be able to detect jailbroken and rooted devices, or that their apps can keep data safe even on compromised devices. On the other hand, there will always be people figuring out how to get around these very protections. The bottom line is that thieves will be thieves, and ultimately there’s nothing we can do about that. (It is a task for HR, though!)
“Why is it so hard to blacklist apps?”
Even with MDM, on many mobile devices blacklisting specific apps is a roundabout process. This means that for most of our corporate users, we have to be okay with random misbehaved and possibly malicious apps being on the same devices. Sure, we can remediate by removing enterprise resources from devices that harbor offending apps, but there will still be some overlap. Blame consumerization again.
“We don’t want our users messing around on Facebook/YouTube/whatever?”
Social media sites and ways to waste time on the internet have been around for a long time. (And as a matter of fact, if you’re determined you could actually block them some way or another.) Why would you expect EMM to be the one tool that suddenly makes people stop wasting time?
“A determined user could just take a photo of the phone screen”
Nothing new here... why do you expect EMM to solve this? Even if you can totally “block” it on a device, what’s to stop them from using another device to take a photo of the first devices’ screen?
This problem is not new...
...though actually, there are tools that can watermark your documents if you're really worried about this.
“This one specific devices with these special security features will solve all of our BYOD/COIT/FUIT problems!”
Yes, it could, if you’re in one of two situations: First, all your employees could happen to think the exact same way, so when they choose their mobile devices, they all pick the exact same device, and it happens to be the one that will solve all of your security issues. Or second, you could be in environment where security is such a serious issue that employees know that they should never try to work from a personal device and only use their corporate issued device. (By the way, good luck with that one.)
MDM and MAM have a lot of great uses, but there are certain security, consumerization, and user issues that we'll have from now until the end of time.