Think MDM will enable BYOD? Think again! Let's look at the difference.

It's important to acknowledge the difference between mobile device management and a bring-your-own-device program.


It’s important to acknowledge the difference between mobile device management and a bring-your-own-device program. MDM has been around for years, and what results when a MDM solution is implemented is different then what is needed to simply accommodate users’ personal devices.

An IT department (and, if everything is running smoothly, HR and a few other departments) needs to actively decide what a BYOD program should look like for the company. Is it to save money? Is it to make employees happier, perhaps with a wider choice of device models? Is it mandatory, or is it to allow extra “luxury” devices like tablets into an environment? How much ownership does a company want to leave to each employee? The answers to these questions will determine whether an employee-owned program is true BYOD or simply offloading the cost of mobile devices to employees.

MDM + employees paying for their own phones ≠ BYOD

There are many MDM vendors that say, “Sure, we support BYOD, bring em’ on in!” However, the way this happens with many solutions is quite a bit different from how people most people would want BYOD to work. Most MDM solutions give IT the ability to control phones and tablets very tightly—administrators can prevent users from installing apps, turn off cameras, enforce password policies, remotely wipe devices, and track all the details of everything a user does. Solutions like this have their place, but these controls don’t jive with what most users would expect to happen if they brought their personal phones into work. 

Imagine an employee (I’ll call him Carl) at a company that is implementing a BYOD program. Carl enjoys having the latest smartphone, and is glad that he can finally use it for work, instead of having to also carry around the boring IT-issued phone. When Carl switches over and drops off his corporate phone, IT takes his personal phone for a few minutes to get him set up with some cool sounding work apps, along with the usual PIM tools. When IT hands Carl his personal phone back, however, suddenly it now requires an annoyingly long password to be unlocked, the camera has been disabled, and a few apps (that he bought with his own money) have been deleted because they were blacklisted for being insecure. Carl, to say the least, will be a bit unhappy with his company’s BYOD program, especially if it was mandatory.

This is an extreme example, but it shows how heavy-handed use of MDM software under the guise of BYOD could cause some problems. Another negative result could arise for employees that already use company-issued phones for personal use. An employee could be perfectly satisfied with using the phone provided by the company, accepting whatever restrictions are in place because overall the phone is still a benefit of their employment. If a BYOD program is implemented, the employee is out $100 a month that they will now have to pay. A stipend could compensate for part of this, and having more options when it comes to his choice of phone could be a benefit as well.

Optional vs. mandatory

The point of these examples is that if a company uses MDM software to lock down BYOD phones to the same degree as the old corporate phones, then there are very few benefits for the employee. There may be more choices for handset platforms—though these days deploying iPhones and Android phones is just as run-of-the-mill as deploying a corporate Blackberry thanks to a lot of hard work put in by MDM vendors—but it doesn’t take the employee bringing their own device to make it happen. Instead, when an company implements a locked down mandatory BYOD program (quite an oxymoron) only the company benefits because it’s really just running a pay-your-own-bill program.

Where MDM does enable BYOD is in cases where the program is optional. If an employee wants to bring their own tablet into a high-security environment as an extra tool or as a luxury item, they do so knowing that it’s going be controlled under corporate management poicy. In this case the phones in the environment are probably already locked down, either paid for by the company or through a faux-BYOD pay-your-own-bill program.

Manage the data/apps, not the device

In environments that don’t need to be quite that locked down, it makes no sense to try to manage entire devices. Managing one phone per employee is probably fine, because IT departments have been doing this for years. But then in 2009 a few people showed up with iPads. Now there's a deluge of tablets, and who in their right mind wants to first convince all those employees to surrender them to corporate control and then actually implement all that management?

This is not the time to roll out MDM software. For environments that can and want to allow BYOD, concentrate on controlling access to the data, not the devices themselves. After access for all the extra mobile devices is worked out, moving the existing phones to BYOD will be easy.

Models of BYOD

You’ll probably be able to think of where different vendors’ solutions would fall on this list, but I’m going to wait to plug them in until after I’ve talked to all of them.

  • Apps only. The corporate apps get to be password protected, encrypted, and remotely wiped when the phone is lost. The rest of the phone can stay untouched, with whatever wild, crazy apps a user wants, no password, personal photos, and all that other stuff.
  • Hypervisor/VM. Many of the same benefits as an apps only solution, but this time you get a whole operating system instead of just a suite of walled-off and secured apps. One of the cool things about having a virtual phone is that it makes it easy to have two service plans—users and corporations can be sure that they’re each paying their fair share. The elephant in the room is that the chances of Apple allowing iOS to be virtualized are very slim. Also one of the parties still has to own the device, and whoever owns the hypervisor level will really be the party in control.
  • MDM. Good for adding voluntary extra employee-owned devices like tablets to high security situations, and for traditional corporate-liable devices.
  • MDM + sandbox. Having an area where the users can do whatever they want would make MDM more palatable, but it still means that the user isn’t in complete control in a BYOD situation. Type-2 hypervisors where the personal device is the guest VM also fall in this category.

It’s important for any parties considering BYOD or MDM to know the differences and what each solution can and cannot accomplish. Mobile device management solutions have their place, but not in most BYOD situations. MDM can be used let employees voluntarily add extra devices to secure environments, but BYOD programs should leave the management up to the user, not the company. Requiring employees to surrender their personal devices to corporate management is simply offloading phone bills, not bring your own device.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

You make MDM sound like its secure everything or nothing. There are ways to have multiple policies that are different for corporate devices then they are for personally owned devices. Your correct in saying that MDM does not equal BYOD solely, but it is a necessary piece which, when implemented correctly, can make everyone happy.


Consumerization of IT has been taking place in universities for years.  30,000 students show up at the beginning of a school year with their laptops and need safe/secure network access -- without compromising the integrity of the network.  There are a lot of lessons to be learned from the EDU market on how to manage the risk of known, registered, and unknown devices on a network.

Network Access Control and Mobile Device Management are now considered the 2 key solutions enabling a Bring Your Own Device (BYOD) strategy.

MDM ensures the integrity of the device.  NAC provisions network access based on the risk profile of the device and its user.


A more modern approach is to use Mobile Application Management (MAM) solutions, which can be used on BYOD devices.

Each user (employee, student, or whatever) sees only what apps they are allowed to based on their organizational authentication.

IT can deploy and manage to a large group of people all the needed apps. Developers can use a simple enterprise-grade SDK "drop in" to ensure app security, updates, and reporting so everyone is on the same page.

Mobile Application Management is the new paradigm. Some might even say we've reached the point of the "Death of MDM".


Regarding the example in the “MDM + employees paying for their own phones ≠ BYOD” section, I fully agree with the statement, “This is an extreme example.”As a Symantec employee, I have talked to many companies about their mobile strategy and I have not met one yet that requires an employee to “surrender” their personally-owned device and lose all valuable and personal functionality. It is truly up to the user to decide – based upon the criteria set by the employer – whether they want to use their device at work. And the degree to which MDM will restrict full use of the device varies greatly, depending on business needs. If the user decides that the convenience of a single device (one for both personal and business use) is worth any restrictions that may be imposed, then they will choose to do it.

What I would add to this section is that individual companies are the ones liable for the business data on the devices, and depending on the industry or circumstances, there might very well be restrictions that are required because of government and industry regulations. For example, healthcare and finance may have stricter limitations, while schools and many other businesses may hardly require much security at all. Once the required security and management level is determined, it makes no difference who owns the device, the restrictions must be the same because the data controls must be the same. And for many companies, the “right” level of MDM control is not so bad.

Brian Duckering



I've been on 3 sides of this discussion - The end-user, the corporate client device IT guy, and the vendor.  I believe the reason there is so much interest/banter/pontification/discourse around BYOD is that it's attempting to balance across no fewer than 3 extremes which are often polar opposites.

End Users want:  1. Personal Choice/Control/Flexibility, 2. Financial subsidies (ideally 100% company paid device & service) 3. Support and assistance to overcome any barriers to corporate access as well as achieving #1 & #2

IT wants: 1. Means of implementing any current or future requirement for information compliance/security controls,  2.The ability to accommodate users by expanding to a BYOD program at a cost LESS than delivering existing services, 3. To satisfy users without creating an operational burden.

Between Users and IT - You immediately have 2 polar opposites in terms of wants/desire/intent of BYOD….

Vendors trying to balance those market demands subsequently need to decide - "Who's budget are we trying to get a piece of?"

- Device HW/OS vendors (Smartphones/Tablets/'fancy' Laptops) cater almost exclusively to the End User. – They incorporate enterprise controls as an afterthought. - Aside from RIM’s BES, let’s just admit it – Microsoft has us over a barrel today with ActiveSync as the principle control point for IT mobility today.  The pervasive use of corporate e-mail/calendar/contacts on a phone demands policies like ‘device lock/device wipe’.  That needs to change. (Funny we don’t wipe someone’s home computer  hard drive if they sync Outlook/GAL using RPC over HTTP(S) and forget their screen saver PW)

- Device Management vendors are vying for a tiny portion of the IT budget, the end-user won't pay a cent.  They will continually be the target of rogue rootkits and jailbreak apps wherever they become prevalent. (Exchange Unlock anyone?)

I’m skeptical that today’s “overlay” styles of enterprise device management can succeed on personal devices – it violates End User requirement #1.    A clever option I’ve seen is the creation of a virtual, downloadable Android phone. -  I’m even more optimistic that the next generation of enterprise apps will benefit from a cloud based PaaS to enable themselves to inherently be instrumented for IT controls end-to-end as client side alone is not enough.

[Comments expressed are my own and are not necessarily representative of my current or prior employers]

Remember Me?


As a CIO in a government agency I can tell you that one of the things driving our consideration of BYOD is cost - of the devices. In a time of shrinking govt budgets the only way we can contemplate deployment of tablets etc if we don't buy them, primarily because they get updated every 12 months. That's unsustainable when buying 1000s of them to respond to 'business demand'

As a colleague said 'if I had bought 500 iPads, half of them would mysteriously of broken the day the ipad2 came out'

That's reality. We can't afford these things within existing budgets, let alone all the security and data management issues.


This was a very interesting article with really good feedbacks.  


Really interesting article but I agree with Tom Murphy - BYOD relies on control of the device (to varying levels depending on corporate policy) and network access control. For example, within the healthcare industry we cannot rely on network access control alone because staff may inadvertently end up with patient data stored on their device. In the case of iOS,  if the pin/password isn't enabled the hardware encryption for data at rest is not enable. We also need to prevent people from storing corporate data on cloud services.

So for us an MDM solution is an essential component - and network access control can come later. We are aiming for a system which will allow compartmentalisation of user and business apps and data which should provide both freedom and security for our users.