The Case for MDM: Apple v. FBI
While I’ve written a number of articles positioning Mobile Device Management (MDM) as a necessary tool for both corporate-owned and corporate-used smartphones, perhaps the biggest reason to embrace MDM just landed at the feet of the nation. The Apple v. FBI case has thrown the doors wide open on the idea of encryption and what it means to have truly private communications. And while I firmly back Apple’s stance not to build a version of their software that threatens the security of nearly a billion devices, 500 words is not ample space to assert my position and provide a full, technical explanation of this threat potential. But what I can offer here is a small piece of advice that removes the need for this skeleton key inside your organization.
MDM is a method of enrolling devices into a software management platform in order to exert control over those devices. The main element we use to manage a device — be it Apple, Android, or Windows — is called a “profile". A profile is a small set of files containing collection of behaviors we want the device to adhere to. Once installed, the profile can pre-load Wi-Fi or email configurations; or it might force a strong passcode, restrict the ability to use the camera, or even disallow certain applications. Administrators have myriad options to pre-set how the devices behave in different environments. And from the MDM management console an administrator can perform a slew of tasks across their fleet of phones. In addition to querying the device for its GPS location or list of installed apps, administrators can remotely lock or erase devices to protect sensitive, corporate data.
MDM platforms come in all shapes and sizes. I’m a fan of Cisco Meraki as a starting point for many of my clients as they offer a basic MDM platform for free up to 100 devices. (Free is a price-point I find all of my clients can get behind.) But some organizations have more devices or require a stronger set of features. In these cases we might move to a paid tier of Cisco Meraki or consider Bushel, AirWatch, MaaS360 or MobileIron. All bring their own strengths depending on the organization. And it’s important to note these tools aren’t just useful for business — I help many families deploy MDM to manage their teenagers’ phones and to protect their own devices if lost or stolen.
The takeaway is that once an MDM platform has its hooks into a device it exerts an enormous amount of authority. In most cases we’re interested in protecting the corporate data — not cracking the phone open. But there are situations where the reverse is true. Maybe an employee leaves the company un-expectantly while neglecting to inform IT of their iPad passcode. In a circumstance like this the MDM can very simply remove the passcode. Repeat: remove the passcode. Had San Bernardino County IT employed an MDM platform, wiping the passcode would have been a 5-minute event not the national brouhaha we’ve seen over the last months. So however you come down on privacy vs. FBI backdoors, know you can install your own mini-backdoor just for your company’s piece of mind. Case closed.