This recent widespread shift to remote work caused an explosion in mobile devices accessing corporate networks, in both volume and variety. However, businesses soon found that unmanaged mobile devices created security vulnerabilities, logistical friction, and productivity slowdowns. Thus, businesses turned to mobile device management (MDM) to manage the devices that no longer exist within the traditional perimeter.
While MDM existed as an option to companies before the shift to remote work, the significant rise in mobile devices on corporate networks made MDM a necessity. This increased need for MDM drove providers to develop varying iterations of MDM that offer different functionality.
Now, the term “MDM” encompasses the many types of device management solutions on the market today. This blog will explore these different types of device management and what needs they solve, particularly in remote, hybrid-remote, and BYOD environments. It will also discuss the scope of different MDM approaches and example use cases for each to guide IT professionals in determining what they need to effectively manage devices in their organization.
Common Device Management Needs in Remote or BYOD Environments
The rise of remote and hybrid-remote environments didn’t just create more devices to deal with; it also gave rise to new types of problems and new business needs. And while basic MDM offers visibility and some level of control over the devices accessing company data, most companies need more than these basic functions to effectively manage and secure their devices. The following needs are common to remote, hybrid-remote, and BYOD environments that stretch beyond basic MDM, though many more robust MDM offerings now address these needs.
By nature, BYOD environments contain highly diverse devices in terms of hardware, software, usage, and configuration. Failing to establish or enforce standards around these elements can leave data vulnerable and devices subject to infiltration. Some MDM solutions allow IT admins to enforce standards to keep device functionality and security consistent.
Insights and Reporting
With the number of devices accessing company networks growing — and often in unsupervised environments — companies need a method for viewing and monitoring those devices. MDM solutions provide a level of visibility into devices accessing corporate data; however, this visibility can be quite deep and thorough, depending on the offering. For example, MDM solutions can give a birds-eye view of several status and activity data points for all endpoints or subsets. With JumpCloud’s MDM, for example, you can see which devices don’t have MFA enabled, who’s locked out of their device, and the battery life of every device.
Updates and Patch Management
Keeping all systems and applications updated is critical to compliance and security: unpatched software is a major cause of security breaches and compromised data. Some MDM solutions enable companies to track this by offering visibility into devices’ OS versions, applications, and software, including which are due for updates or patches. This helps them ensure that all employees are working with up-to-date tools, regardless of whether they’re using personal or corporate-issued devices.
The lack of device unification and supervision in remote and BYOD environments can create significant security vulnerabilities, and companies need the ability to manage and secure both devices and their contents.
Many MDM solutions offer additional layers of security that help remote and BYOD companies more holistically secure the devices in their fleet. Some common examples of security features some MDM solutions offer include:
- Multi-factor authentication (MFA): MFA can provide security at the device and app levels. Many MDM solutions integrate with MFA tools, and some offer MFA natively. JumpCloud, for example, offers MFA via TOTP or push notification natively and delivers thorough insights and control into MFA activity and configurations.
- Disk encryption: Some MDM solutions allow admins to enable full disk encryption on devices remotely. When combined with policy creation, this can be turned on as a rule for all fleet devices.
Tip: when exploring tools that offer disk encryption, look for ones that store the recovery key automatically to avoid accidental lockout.
- Remote lock and wipe: If a device is lost or stolen, many MDM tools allow you to lock the device and wipe its contents to prevent data compromise.
In addition to security features, integrating device data with identity data dramatically enhances security. This allows admins to view data holistically and contextualize it to extrapolate patterns and identify suspicious activity. Technically, this combination of device and identity is referred to as UEM, which is covered later in this blog.
Many MDM solutions can also integrate with third-party security providers. In these cases, MDM becomes a seamless part of a larger security initiative.
Onboarding and Offboarding
Onboarding employees remotely can require several shipments and tedious steps for IT admins: without remote onboarding tools, they’d need to have each new device shipped to them, configure the devices manually, and then ship them to the new hires. Offboarding would require several similar touchpoints.
MDM solutions can greatly reduce the number of physical touchpoints IT needs to onboard and offboard employees, which aids in enabling long-term remote work. Some MDM solutions like JumpCloud’s offer zero-touch provisioning, which allows IT to set up new employees’ computers entirely virtually. This enables you to skip the shipment chain and instead drop-ship devices directly to new employees; IT can configure the device in the background without ever handling the device physically.
Comprehensive MDM solutions with a UEM component also significantly streamline offboarding. When users are assigned to devices, they can easily be deprovisioned and wiped — often remotely — when an employee leaves the company.
BYOD and remote work have driven more companies to support multiple operating systems in their environment, and they now need solutions that can support these multi-OS models.
Not all MDM solutions support all operating systems — in fact, most favor certain platforms and operating systems. For example, as a Microsoft product, Windows Endpoint Manager supports devices with Windows operating systems and recently added Mac support into the mix; however, it does not support Linux. Jamf is a common MDM choice for Mac and iOS devices, but doesn’t support Windows or Linux.
Make sure the MDM solution you choose fully supports the OS your organization uses; if you use more than one OS, look for an OS-agnostic solution like JumpCloud, which supports Mac, Windows, and Linux devices. Because BYOD policies and a rising prioritization of the employee experience are pushing more companies toward multi-OS models, OS-agnostic solutions can help with future scaling.
Different types of MDM are often given separate names, and many of the acronyms are quite similar to one another. To help delineate and clarify these approaches, this section will cover some of the common acronyms you may run into when assessing MDM solutions.
Note that different approaches tend to compound upon one another; more robust solutions also include the capabilities that the more basic approaches offer. We’ve listed the approaches in order from least robust to most robust.
Basic MDM allows you to view, verify, and control devices on the network. This can include actions like configuring device settings, monitoring device activity, and locking and wiping devices. While MDM can include much more than this, these are the basic functionalities most MDM solutions include; others (some of which we’ll discuss here) add onto basic MDM for more thorough device and access management.
While basic MDM is common in remote workplaces, it’s often a company’s only method of device management. In an ideal scenario, companies would combine basic MDM with other approaches (which we’ll discuss here) for more targeted, strategic, and intentional controls.
Example use case:
A small business just decided to make their hybrid-remote policy permanent, and they need an immediate way to start managing the devices accessing their data.
MAM: Mobile Application Management
Rather than focus on devices themselves, MAM focuses on the applications on devices. MAM’s close control over applications offers significant security benefits, as companies can configure security settings in relevant applications. For example, companies often implement MAM to configure email application security settings on employees’ devices.
Not only does MAM allow companies to manage security for specific applications, but it also allows them to leave others alone. This helps employees maintain a reasonable level of privacy — especially when working under a bring-your-own-device (BYOD) policy — without compromising security.
Example Use Case
A company wants to maintain their BYOD policy while allowing employees to use mobile applications to handle sensitive data. MAM would help them set strict security parameters for the corporate apps on employees’ personal devices.
EMM: Enterprise Mobility Management
Includes: Basic MDM + MAM
EMM combines MDM and MAM. This offers IT admins more holistic control over devices and their contents. With EMM, for example, a company could both encrypt a device and set up phishing filters on the device’s corporate email application. Further, device-based and application-based policies can work together and inform one another; for example, if an employee lost their device, IT could lock the device itself and wipe the contents of the corporate apps on the device.
EMM’s combination of information and control around both the device and its contents makes for more intelligent and secure device management than MDM or MAM can provide on their own.
Example Use Case
A security-focused company needs to allow companies to use mobile email and collaboration apps securely while also enforcing MFA and full disk encryption on every device that accesses corporate data.
Note: MDM, MAM, and EMM do NOT integrate device data with identity data.
UEM: Unified Endpoint Management
Includes: EMM + IAM
UEM is a step up from EMM. While EMM focuses solely on devices and their applications, UEM broadens the scope significantly to include identity and access management (IAM). Bringing identity into the mix allows for a more holistic approach to access management.
Aside from the friction IT admins experience when using different tools to manage identities and devices, siloing these data sets can create security gaps and prevents holistic access management. UEM bridges this gap, allowing identity data to be associated with device data.
UEM is extremely beneficial to businesses with remote or hybrid-remote work, BYOD models, or managing IoT devices. It allows you to assign, or bind, users to their devices and associate their data with one another. This means policies and permissions for users and devices can work together for more effective access management. For example, a UEM solution could prevent a user without admin permissions from making changes to the servers on the network, or prevent a user from accessing corporate resources when logging in from a device that isn’t assigned to them.
What’s more, the best UEM solutions offer deep access management in one unified platform, reducing the number of tools you need to use to manage access and gain insights. Centralizing this data also preserves data integrity by maintaining one source of truth and preventing data duplication, deviation, and loss.
Example Use Case:
A business moving to a hybrid-remote environment with multiple operating systems can’t successfully integrate its legacy directory with their device data, so it switches to a solution that manages identity and devices at once.
Device Management Point Solutions
Because so many iterations of MDM have evolved since the pandemic increased the need for device management, many companies end up using more than one MDM solution to meet all their needs. This trend follows a common phenomenon: a set of needs arises, several companies develop different solutions to address these needs, and then companies invest in several of these new solutions to fully address their unique set of needs.
This point-solution approach has two weak spots: first, it requires companies to spend money on multiple solutions rather than one. Second, it often creates residual problems with APIs, integrations, and communication between tools. In some cases, the point-solution model can lead to siloed data and a system without one source of truth. This puts data integrity at risk and precludes the integrated intelligence you could receive when viewing and interpreting the data as a whole.
Aside from the data hygiene issues, non-centralized access data often means managing different sets of data in separate management consoles. This drastically increases friction for the IT user. In addition, purchasing more than one service often means higher costs and more complex licensing. Finally, the integrations and APIs required to facilitate communication between these tools add complexity and opportunities for breakdown.
By contrast, centralized access management provides a solid foundation for unified data and access management and clearer insights. Having a more complete picture can help you better understand device and user activity. With this information, you can extrapolate to identify areas where you could reallocate resources, reduce bottlenecks, optimize license distribution, and more. Having it all in one console not only streamlines the IT admin experience, but it also reduces the risk of problems with integrating different tools and provides more complete security insights, facilitating better incident detection and response.
Where to Start
While basic MDM offers valuable device management solutions, the growing popularity of distributed IT infrastructure drives the need to take device management a step further. In today’s business environment, device data should integrate with identity data: thus, businesses starting out should look for an MDM solution that offers UEM.
Because businesses today need a method for both endpoint management and user management, combining them with one UEM tool often proves more effective and delivers a higher ROI than investing in separate tools for each. Further, starting with a robust tool that combines device and identity management prevents data siloing.
Fully Unified Access Management and Security
As endpoints accessing corporate data multiply and businesses trend more and more toward long-term remote work solutions (70% of companies extended their remote work policies indefinitely after the delta variant emerged), traditional MDM isn’t enough on its own. Companies are increasingly choosing more robust, unified tools to integrate more data into one platform (and under one price tag) and receive better security and insights.
JumpCloud® is a cloud-based directory platform that unifies all identities, devices, networks, and resources you need to manage in one browser-based console. It comes with an MDM component that includes UEM and facilitates everything from configuring device security settings to pulling intelligent insights on directory, system, and user activity.
In addition, JumpCloud takes a Zero-Trust security approach and comes with integrated MFA solutions (including a native authenticator app that supports TOTP and push notifications to devices), conditional access policies, and secure single sign-on to all the resources employees need to Make Work Happen™. It’s easy to try — your first 10 users and 10 devices are free, and it comes with 10 days of free premium live chat support to help you get up and running. Try JumpCloud Free to experience unified access control and security in your environment.