Mobile Device Management (MDM) is an issue for companies that employ wireless devices. Those devices include smartphones and tablets that communicate through a cellphone network and wifi-enabled office equipment such as mobile printers and scanners. Point-of-sales devices and barcode readers also fall into the remit of mobile device management.
Issues with mobile devices
Whether the devices that are included in the company network belong to the business or are owned by employees, the major issues that you need to cover are the same:
- Appropriate use
There is some overlap between these two topics.
Mobile device security
The security issues that arise from mobile devices fall into three categories:
- Communication security
- Virus risk
- Access control
MDM systems need to cover these three essential problems in order to allow you to safely integrate mobile devices into your network.
Despite encryption protection standards for wifi communication, airborne communications are inherently less secure than cable-based networks. Devices taken out of the office may connect back to the network via public wifi hotspots, which may not be bona fide.
The fake wifi hotspot is a very useful tool for hackers to get access to data in transit. The standard wifi encryption protocols only encrypt data while it is in transit from the device to the wifi router. The keys for that encryption are distributed by the router/hotspot. So, if one of your employees connects through a fake hotspot, all network access credentials of that use and all of the data that passes back and forth during the session can be decrypted and stolen. Effective mobile device security needs to include end-to-end encryption.
Browsers and apps can store usernames and passwords to speed up network access. This could cause a security breach if a mobile device gets lost or stolen and the user hasn’t set up a unique lock key on the device. Therefore, it is important to be able to lock a mobile device or delete all data on it from a central location.
The “bring your own device” policy presents problems over which software can be loaded onto the device. If all mobile devices are owned and configured by the company, it is much easier to dictate the software that can be loaded onto those devices. Your MDM system needs to be able to remotely audit all software on a remote device and disable or remove unapproved applications. This is important because extra, unverified apps installed by the end user could give hackers access to your network.
On user-owned devices, the MDM policy should only allow network access via a portal where approved applications can be accessed from an application server. This will enable the owner of the device to keep it for personal use outside office hours.
Access control is an issue that also involves the previous two topics in this section. You don’t want unauthorized software to access your network and you need to be sure that access credentials can’t be compromised through theft or wifi snooping. Automatic login and credentials stored on the device will undermine the security of your access control, so some form of password protection, such as a password vault, should form part of your MDM strategy.
Appropriate use of mobile devices
There are two problems you need to keep track of regarding the use of mobile devices that connect to your network:
- Access to company resources for personal use
- Time wasting
If you allow your employees to get out of the office into the wider world to do their jobs, you need to make sure that they are not just sitting in a café playing a game or downloading music. The resources that you make available for your employees are only for business use, not personal pursuits.
If employees are out of sight but logged in through a mobile device, you need to make sure that they are actually working. You also need to be sure that they are not using unauthorized software on the network and that they are not using the company network to download offensive material.
If you provide employees with smartphones for work, then you will also be paying for their call time and data allowance. These factors can become very expensive, especially mobile data. So, you need to make sure that employees are not making the most of these facilities for personal use, ramping up the company phone bill.
Keeping the above factors in mind, it is easy to see that proper mobile device management is essential before you allow mobile devices to connect to your network. The key requirements of an MDM system are:
- Remote configuration – both individual and en masse
- Software tracking – to record license usage and prevent unauthorized software access
- Application security – for email, messaging, browsers, application and data access
- Remote lock or wipe – in case of device loss
- Data usage tracking – to prevent resource abuse
- End-to-end encryption – to prevent man in the middle attacks over wifi
- Password management – such as a password vault for each device
- Disabling native apps on devices – to enforce software policy
- Jailbreak detection – to prevent rootkit viruses from attacking the operating system
MDM implementation models
The MDM systems available on the market today fall into two broad categories. The first is an on-premises package. You need to install a controlling program on your office server and also a client program on each of your mobile devices.
The second option is implemented as a cloud-based solution. This category of MDM is known as SaaS, or “software as a service.” You may find that the best option for your company’s requirements lies in contracting in a range of services. You might end up with a hybrid MDM system with some functions covered by on-premises monitoring and other requirements fulfilled by online services.
MDM and MAM
The network security industry has divided the functions of control of mobile access into two categories. Mobile Device Management, strictly speaking, just refers to the security imposed between mobile devices and the central network. Mobile Application Management is concerned with the delivery of software to mobile devices.
Given that software performance can impact network security, it is difficult to imagine how secure access can be implemented without also controlling the applications allowed to use the company’s resources. Therefore, some specialists merge the definition of MAM into MDM. In short, to fully control the activities of your staff that use mobile devices and protect your company network and other resources, you need both MDM and MAM.
Here’s a list of the 10 Best MDM Solutions
- ManageEngine Mobile Device Manager Plus
- AirWatch Workspace ONE
- BlackBerry Unified Endpoint Management
- Citrix XenMobile
- Cisco Meraki
- Microsoft Intune
- SOTI MobiControl
- Miradore Mobile Device Management
- Jamf Now
There are some great MDM services out there on the market and most of them can be integrated with other network administration functions. This rundown of the ten best solutions includes cloud-based services and on-premises software.
As you read through the list, you will recognize that some of these system are appropriate for larger businesses and other suit small companies. Seeing these factors and noticing those that meet your monitoring requirements will help you to start narrowing down the list to reach your own selection of candidates.
Despite being a top pick, this service is one of the cheapest on the list. ManageEngine produces excellent facility monitoring and management software, and you have no doubt encountered the name when searching for server and network monitoring tools. If you are already a ManageEngine customer, then you will probably find it very difficult not to add on the Mobile Device Manager Plus. It’s cheap, comprehensive, and reliable.
The Mobile Device Manager Plus system comes in both on-premises and cloud-based versions. The “Plus” in the name is there to tell you that this is a complete enterprise mobile management package, not just an MDM. A mobile app manager, a mobile email manager, a mobile application manager, and a mobile content manager are all bundled with the suite.
As with all ManageEngine products, you get a very well thought-out dashboard with Mobile Device Manager Plus. The key features of an MDM are all there. These include a configuration manager for single or mass device set up and there is also a self-enrollment app to onboard BYO devices. You can also set different policies for business-owned and user-owned devices. These enable you to set rules for wifi access, VPN usage, and app access according to the ownership of the device. Customize access to the company’s mobile service plans, including call, data, and messaging credits.
Access devices remotely and control them for troubleshooting and bug fixing. Remote access allows you to locate lost or stolen devices on a map and wipe them. You can detect jailbreaking and sweep for malware, locking out, or quarantining at-risk devices.
App license management and application distribution are the main tasks of the MAM features of this package. App delivery can be altered to account for the device ownership and user-owned devices can be given access to the company resources through a kiosk-based portal system. App allocation can be verified per device and will keep access to company mobile service plans available just for business functions, allowing the user to access his own cell phone service credits out of office hours.
The mobile email management system protects all employee emails with encryption and restricts the apps used to open attachments, reducing the risk of virus infection. Direct users to the corporate email server or choose to use cloud-based services, such as Office 365 for your own email system. Cloud apps can be integrated into your mobile app library and access to those is also covered by encryption.
Mobile content management enables file sharing and distribution. Each recipient of a distributed document automatically receives a new version once that original file gets updated. The content management system can deal with documents in ten different formats.
The minimum buy-in for the Mobile Device Management Plus package gives you the right to manage fifty devices. More devices are possible at higher price points. The suite is available as a Standard plan, or a more expensive Professional plan. Get a 30-day free trial for either plan and, if you only manage 25 devices or fewer, the system is free to use.
The Workspace ONE package from VMWare’s AirWatch division includes MDM and MAM functions. The configuration procedures of this MDM are very comprehensive and cover just about every initialization scenario you can think of. Set configurations of smartphones, tablets, and laptops individually or in bulk. An app allows employees to enroll their own devices into the system. Wifi-connected peripheral devices such as printers and wearable technology such as glasses, watches, and headsets can also be integrated into the MDM system.
Policies for different device types and ownership (user- or business-owned) can be set, which gets around the problem of deciding how to treat BYOD equipment. Those different policies can dictate where to apply password protection managed by the central MDM. So, company-owned devices can have their password management applied to the entire device, whereas protection can be applied just to the apps that access the company network on employee-owned devices.
System security extends to two-factor authentication and is even able to integrate biometric checks into the user authentication process. Workspace ONE applies encryption end to end on all business communications on the device. You can choose to use the integrated email management system that provides encryption to secure all email. Encryption is also applied to communications from the device with cloud productivity suites, such as Google Apps and Microsoft Office 365. A VMWare VPN system, called VMWare Tunnel, is available with higher plans.
Remote management features enable you to troubleshoot and diagnose devices remotely. You can even view the device screen and execute programs on the device from your headquarters in order to fix problems. Higher plans include the ability to track data, call time and message credit usage and block excessive use of corporate connection service plans.
Remote control functions also allow you to lock phones and wipe them selectively or completely in case of loss or theft. You can locate the phone on a map if is turned on. For safety, detect jailbreaking and malware presence, quarantining compromised devices.
Mobile application management is implemented through an app catalog. This is available to mobile users when they access the device management system through the network. The app catalog makes approved applications available for on demand download by the device user. There is also a compliance module that checks for unauthorized apps on each device.
The Workspace ONE package is available in four service levels — Standard, Advanced, Enterprise, and Enterprise for VDI. Workspace One is a cloud-based service and you can get a 30-day free trial.
The Unified Endpoint Management package is part of BlackBerry’s Enterprise Mobility Suite. This system is available either as a cloud service or as on-premises software. You can manage mobile devices that run on Windows, Windows Phone, iOS, Android, macOS, and BlackBerry. The UEM system can manage wearable devices and IoT equipment.
The device management process starts with configuration. Create different policies for different device types and ownership models, configure the entire device, or make secure apps available for user-owned equipment.
Remote management functions are included in the package but lacks a device wiping capability. Security procedures are strong with this package. MAM functions and content delivery are all encrypted. Application availability can be implemented with iOS native apps, the Office 365 productivity suite, or other apps subscribed to by your company.
You have the option to include secure email, instant messaging, and collaborative platforms in your application packages for users. You can also give your mobile devices access to CRM software in order to help your sales force improve customer relations performance.
Content management can be implemented through cloud solutions such as OneDrive, SharePoint, and Box. Integrate document conversion to include PDF and zip file creation. An add-on module, called BlackBerry Workspace, tracks versions of documents, access to information, and location of file copies through digital rights management techniques. You can even control the permissions to make it impossible to print a document when it is outside of your network.
BlackBerry’s Mobility Suite system is available at five plan levels. The basic MDM functions are available with all plans. However, the mobile email management, content management, and application management modules are only included with higher editions. The entry level plan is called the Management Edition. This includes MDM and some basic application management functions. To get secure email and messaging added to your package, you need to step up to the Enterprise Edition. The other plans, which include more comprehensive application management, collaboration software, and content management are called the Collaboration Edition, the Application Edition, and the Content Edition — with is the top plan that BlackBerry offers.
The key features of the BlackBerry MDM system is access control to corporate infrastructure and encryption for communications. The actual device control and management capabilities of this package are not as comprehensive as the other options on this list. For example, there is no device location utility nor mobile account usage tracking capability.
All of the mobility plans can be assessed with a free trial.
XenMobile combines mobile device management, mobile application management, and mobile content management to provide a complete mobile endpoint solution for mobile devices. Citrix is an industry leader in virtualization, along with VMWare, and so the delivery of applications and content to mobile devices is particularly powerful with this package.
Configuration can be applied simultaneously to individual devices, policy groups, or to an entire fleet of devices. User-owned devices can be left out of the mobile device management routines. In these instances, the security and access procedures of an app portal provided by the Citrix mobile application management module substitutes for the MDM system. In the MAM-only scenario, the user’s corporate profile gets loaded onto the device whenever they log in, making the device temporarily a part of the company’s infrastructure.
Owners may reclaim control of their own devices once they log out at the end of business hours. That user account profile can be accessed from any device, making it easy for employees to continue their work as they switch between desktop, laptop, tablet, and smartphone.
The remote access functions of this package are very comprehensive and allow an administrator to take complete control of a device, including access to its screen. Device location, locking and wiping capabilities are built into the admin dashboard. Set up app whitelists and blacklists to allow device owners to manage their own apps instead of locking in a set package of apps. You can also monitor phones for jailbreaking and unauthorized application installation as well as malware sweeping.
The essential element of the XenMobile system is a secure connection between the central network and remote devices. The security system includes threat detection, which extends to secure browser functions that assess the status of web pages before loading them into the mobile device’s browser. The threat detector will notify the central administrator of security risks encountered on a device and quarantine it from the general network until a network analyst has cleaned and re-approved the device.
Citrix provides its own secure apps for XenMobile users. These include secure email, file sharing, and collaboration techniques. If you have your own corporate custom apps, XenMobile can deliver these to mobile devices even if they were not written for use on smartphones and tablets. This can be achieved by “wrapping” apps in containerization methods supplied by the XenMobile apps, or you can integrate in-house native apps simply by adding in one line of code.
The MAM system includes Citrix Secure Forms, which lets your business digitize form-filling functions such as quote and invoice generation or other business documentation. The information entered into Secure Forms can easily be distributed to interested parties through workflows, helping you to automate your business processes.
XenMobile includes all of the functions you would require from a mobile device management system, except that it does not have mobile account tracking functions. Get a look at the system yourself with a free trial.
Cisco Meraki covers the management of laptops and desktops as well as smartphones and tablets. This management console of this system is very attractive and includes a map showing the locations of all of your company’s managed devices. However, it can’t manage IoT or wifi-enabled office equipment, such as printers. It will communicate with devices running Windows, macOS, Windows Phone, iOS, Android, Chrome OS and Samsung Knox.
Underpinning the MDM is a secure communication channel that is encrypted by AES with a 256-bit key. The app communication is protected by a VPN, which is applied on a per-app basis.
Configuration can be varied according to device type, user profile, or ownership model. These groups of devices can be configured in bulk, but there is always the possibility of individual configuration. Users with their own devices can enroll to get included in the network. The delivery method for apps and data files is called Backpack. The central administrator creates a bundle of files and then sends out access permissions to groups, individuals, or the entire network. These bundles will go out to user-owned devices once they have enrolled and been included in a user group.
Lost or stolen phones can have all of their rights revoked and can be locked or wiped remotely. Meraki automatically tracks mobile plan usage, so excessive activity can be identified from live reports and stolen devices can be cut off from the phone and data services immediately.
Microsoft’s MDM offering is actually what is known as a “unified endpoint management” system because it includes the management of desktop computers as well as mobile devices. You pay for a license per user rather than per device and each user is allowed to access your services from multiple devices. This is a cloud-based service and it can manage computers and mobile devices running Windows, macOS, iOS, Android, and Windows Phone.
The MDM is intended to be used in conjunction with cloud-based Office 365 and other Microsoft apps. You can deliver other apps to users through the system. You have the option of setting up different policies for company-owned and user-owned devices, with the option to enable users to enroll a device, to control that device completely, or implement corporate security for each app, using the device available for the owner’s private use.
The inclusion method for mobile devices is set up as an enrollment-based scenario. That is, there is no mass configuration function to set up all of your company’s mobile devices from a central console. Instead, you create an onboarding process in which each device user is invited to complete. Alternatively, make apps available for users who access your system through their own devices.
A number of security features usually available with MDM services are included with Intune, namely: location of lost or stolen devices (only for iOS), remote locking, and phone wiping. It is possible to scan included mobile devices for unauthorized apps and you can enforce access to the company network through specific apps. However, Intune does not give you the ability to access devices remotely.
Microsoft offers two more mobile control security packages that include Intune together with more advanced security services. These higher plans are called E3 and E5. Stronger security measures such as multi-factor authentication are reserved for the E3 and E5 plans. Intune doesn’t include encryption or a VPN element. There is no secure email system with any of the plans that include Intune.
Although mobile application management is included with Intune, you need to take out the E3 or E5 plan in order to get secured mobile content management functions.
You can access the Intune online service for free in a 90-day trial, which will enable you to get familiar with the Intune methodology and assess the system’s suitability for your enterprise.
SOTI has a very attractive MDM system, which is called MobiControl. The dashboard includes graphs with live data and you get a map showing the location of all of the devices that you manage. The MobiControl system is an on-premises package that runs on the Windows operating system.
Manage Windows, iOS, and Android devices as well as specialist industry devices and IoT equipment with this system, so it isn’t just capable of controlling phones and tablets, but also non-standard devices on Linux operating systems.
Configure your devices in bulk with MobiControl and perform other device management functions en masse. Get remote access to individual devices, get screen views, and run programs remotely to fix problems. You get remote lock and remote wipe capabilities to deal with lost or stolen phones.
You can opt to enroll the entire mobile device in the MDM or restrict network access to specific apps, leaving the user-owned devices available for out of hours private use. The SOTI software includes a specialist browser for client devices that gives access to apps and incorporates system encryption. Create groups of devices and apply different rules to each, making different packages of apps available to each group.
Mobile content management is implemented by a module called SOTI hub that selectively grants access to centrally stored files and logs all file access.
SOTI MobiControl is a very comprehensive MDM. The only key MDM feature that this package lacks is the ability to track and control mobile data and call plan usage.
You can access the MobiControl software directly from the SOTI website and start using it on a 30-day free trial to check out the system before you buy.
The Miradore Mobile Device Management package is an online service and it is free of charge. Miradore actually has three levels of service, with the two higher plans available for a fee. Those paid plans consist of the Business Edition, which costs $1 per device, and the Enterprise Edition, which costs $2 per device. All plans can manage mobile devices running Windows, iOS, and Android.
With the free MDM you get just about all of the security features available on all Miradore plans. These include end-to-end encryption and remote control functions. Those remote access functions allow you to lock or wipe a lost device, locate it, reset its password, or even bypass any hardware password set by the user. You can make the device sound an alarm, which is useful to help a user to locate a misplaced device or to deter a thief.
A map in the dashboard shows exactly where all of your device are located. The device can send notifications of any status changes to the control console.
The configuration process with Miradore is enrollment-based. That is, you don’t configure all the devices, but you invite each user to set up the device with the Miradore client in order to access your network. Those configurations can include secure email apps, wifi protection, and a VPN service. The VPN is only available for iOS devices.
If you want to include mobile application management, sign up for the enterprise plan. Containerization, which partitions user-owned devices to only allow company-approved apps access to business resources, is reserved for the Enterprise plan. The creation of business policies to enforce different usage procedures according to device type/ownership is only available with the Enterprise package. Restrictions on data and cell plan usage are other functions needed to sign up for the Enterprise plan, as is web content filtering.
A lot of functionality included with the standard plans of the other MDMs in this list are reserved for Mireador’s most expensive package. However, even the most expensive Miradore plan with all the MAM and security extras of the other plans is still one of the cheapest options on this list.
A couple of other features not included with the free plan are available with the paid plans:
- Customized reporting. Standard reports are available with the free MDM plan.
- Monitoring network data usage. Although you can check on configuration compliance with all plans, the ability to monitor network data is only available with the Enterprise plan.
- No limit on the number of admin accounts with both of the paid plans. The free plan includes one administrator account.
- Both paid editions offer live chat and phone support to customers. Support is available via knowledge base, community forums and email with all plans.
Overall, the free version of Miradore’s MDM is pretty good and includes just about all mobile management functions apart from MAM and bulk set up. Even the most expensive Miradore package represents very good value for money.
Jamf Now is a mobile device management system that only controls iOS devices. This is a cloud-based system that is priced per device. The service is free for the first three devices.
The setup process for devices revolves around “blueprints.” Each blueprint represents a standard configuration. You can create groups of devices and allocate a different blueprint to each. Configuration of those groups of devices can then be commanded, setting up all of them in bulk.
An alternative method for device inclusion is the enrolment process. This requires a device owner to create an account for the network by accessing a custom enrollment page. Once signup is complete, the configuration of the device initiates, giving user-owned devices the same level of security accorded to business-owned devices.
Monitoring of devices can be automated, giving you alerts when risk conditions occur, such as jailbreaking or the installation of unauthorized software. It is possible to display a full inventory of devices on your network in the dashboard. Details include spare storage capacity, a list of installed apps, and the serial number of the device.
Each device can be given a passcode centrally, and it is possible to use two-factor authentication with Jamf Now. You can activate a lost mode, which will lock the device and cause it to signal you its location. You can also wipe devices remotely.
The Jamf Now package doesn’t include a secure email system. Instead, the plan allows users to connect to Microsoft Exchange, Google Mail, Yahoo! Mail, and any IMAP or POP system. If you operate an on-premises email server, communications between it and mobile devices will be protected by the Jamf Now encryption.
There is no MAM system included with Jamf Now. Instead, it relies on the Apple Volume Purchasing Program, which enables you to buy bulk licenses for apps and distribute them to your user community. Check on operating system updates and roll them out to individual devices, or update all managed devices en masse.
Restrict devices to a single app or a restricted suite of applications. This strategy is desirable in retail locations where smartphones and tablets are needed for catalog, CRM, and invoicing functions but not for other general apps, such as browsers or email.
Jamf Now is an interesting system and the free service for three devices is very tempting for sole traders, partnerships and startups on a tight budget. The limitation of the service to just iOS devices may make this option too limited for your business.
SimplySecure is a cloud-based MDM capable of dealing with iOS and Android mobile devices and portable storage. The overall service is called the SimplySecure Management System and it can cover desktops, laptops, mobile devices, and USB storage in these different pricing categories. Simply pay for each device you want to manage. However, the service is charged on a yearly basis, not per month. If you want a monthly price you have to track down a Simply Secure reseller and buy the service from there.
The dashboard for the service is accessed via web browser. Configure your mobile devices remotely and in bulk, applying different policies to groups of devices. Lost devices can be wiped remotely and devices that display suspicious activity can be quarantined.
The service includes device tracking and you can enforce password protection to add an extra layer of security in case they get mislaid. You may change those passwords remotely to create an instant lock in case of trouble.
All communications within your company network are protected by encryption. Although direct access to apps over the cloud would not be covered by this protection, you can route access through your company server to get the security layer applied to app and data access. Encryption can also be applied to stored data on the device.
This is a lightweight option for small businesses and the delivery by cloud means you don’t have to run a large network or employ a systems administrator in order to use this service. The ability to include USB memory into the coverage is unique and applies encryption that only you and your employees can decrypt. This is a great solution to the problem of losing confidential data along with a lost USB memory device.
Selecting a mobile device management system
A lot of MDM systems crowd the market and searching for the right one can be time consuming. This list gives you a range of options that cater to a variety of business types and sizes.
Your first task is to narrow down your search by checking off your basic needs against the descriptions of vendors in this list. For example, the vendors at the top of this list are better suited to large or middle-sized companies that employ a full time systems administrator, or a team of IT support staff. Jamf Now and Simply Secure were created to cater to small businesses.
Look out for the free offers in this list. Even if you are a small business, you might be able to get one of the enterprise MDM systems for free. An example of this is ManageEngine’s free version for small businesses. Another option that small businesses should explore is the Miradore’s free online MDM system.
Check out the other infrastructure management tools that each of these providers offer as well. If you are in the market for a full suite of management software, you may find that an MDM’s compatibility and interoperability with other useful system tools may sway you in its direction.
If you are happy to pay for a mobile device management system, then make sure you take advantage of the free trials offered by many of the services on this list. Try out a couple of the services so you can decide which one you enjoy using. It may be that your final choice of MDM just comes down to the one that you like the look of. That isn’t a bad selection criteria because it doesn’t matter how comprehensive the features of an MDM are if you don’t understand how to use it. If you find all of its tools too time consuming, you won’t make full use of that system and you would have wasted your money.
Comparitech Networking Guides
- Top 10 server management & monitoring tools for 2018
- Top 10 LAN monitoring tools for 2018
- The definitive guide to DHCP
- The definitive guide to SNMP
- How to build your own cloud storage server at a fraction of the cost
- The best free NetFlow analyzers and collectors for Windows
- 6 of the best free network vulnerability scanners and how to use them
- 8 best packet sniffers and network analyzers for 2018
- Best free bandwidth monitoring software and tools to analyze network traffic usage
Other information on mobile device management
- Webopedia: What is Mobile Device Management?
- Techopedia: Mobile Device Management (MDM)
- Wikipedia: Mobile device management