Border Patrol agents can chat with other law enforcement officials via a tactical kit installed on an off-the-shelf tablet.

Feb 18 2019
Digital Workspace

EMM Solutions Keep Mobile Devices Secure at USDA, DHS and SBA

Enterprise mobility management tools help agencies create a comfortable user experience while simultaneously protecting information.

At the Department of Homeland Security, workers rely on Personal Identity Verification cards to authenticate their identity on desktops and notebooks, but the cards don’t work on smartphones. DHS relies on enterprise mobility ­management to handle ­credentials for more than 100,000 mobile devices.

The sprawling department, made up of nine component agencies, uses a variety of EMM solutions, says Tom McCarty, director of DHS’ Enterprise IT Services division

The Federal Emergency Management Agency and the Coast Guard have standardized on MobileIron, while the Transportation Security Administration and Immigration and Customs Enforcement use BlackBerry’s Enterprise Mobility Suite. The other agencies rely on AirWatch or Apple’s device enrollment program.

When it comes to devices, DHS employees can choose between iOS and Android, and that can pose management issues.

“Particularly with credentialing, because the way Apple manages keys and the way Samsung does it for Android are different,” McCarty says. “I’m hopeful we’ll get more consistency across the agency, so we can standardize some of those things.”

Agencies turn to EMM solutions to guarantee that only authorized personnel can use their devices to access department resources while ensuring that the device remains a convenient way to work outside the office. 


Having a unified way to manage endpoints is a top priority for agencies, says Adam Holtby, senior analyst of workspace serv­ices at Ovum.

“Mobility should be at the core of any digital transformation effort,” he says. “Adopting a single solution to manage a broad range of devices and apps can improve security and productivity, ease endpoint and application administration and deliver new insights into how the modern employee works.” 

Managing mobile app security while still providing a positive user experience remains a great challenge, McCarty says. Apps used to process government data, such as Microsoft Outlook for email, undergo an internal vetting process known as Carwash before they’re added to a whitelist in the department’s mobile apps catalog. 

MORE FROM FEDTECH: Find out how agencies like NASA and NSF keep tech working for far-flung employees. 

DHS Balances BYOD and EMM Other Models 

A DHS pilot program integrates Lookout Mobile Security with AirWatch to identify and blacklist potentially malicious third-party apps.

“It’s a delicate balance,” McCarty says. “You want to make sure you don’t lock down the device so much that it’s not a good user experience. 

“With different applications,” he adds, “there are always different kinds of threats. That’s why mobile threat protection will be really helpful.”

One question agencies face is whether to allow employees to use their personal mobile devices for work, or let them use work phones for personal business.


    Percentage of agencies reporting a security incident involving mobile devices

    Source: Lookout, “Policies and misconceptions: How government agencies are handling security in the age of breaches,” December 2017

    Although some DHS agencies are experimenting with BYOD, McCarty says most rely on the corporate-owned, ­personally enabled model, where workers carry devices provided by their employer that they can use for personal needs in a highly managed way. 

    “The area we need to be most careful about is making sure there’s no data going from our corporate apps to apps that aren’t necessarily bad, but could potentially allow information to leak,” McCarty says. 

    Because DHS is migrating to Office 365, it’s taking a close look at Microsoft Intune as a potential enterprise mobility and ­security (EMS) solution.

    Tom McCarty, Enterprise IT Services Director, DHS
    The big benefit is that they now have an experience that’s more like they’re used to in their everyday lives, and they gain access to things they could never get to before on their mobile devices.”

    Tom McCarty Enterprise IT Services Director, DHS

    “When we started this effort, Intune wasn’t very mature, but it’s made big strides lately,” he says. “We’re definitely taking a closer look at Intune, not only for its tighter integration with Office 365, but also for security benefits, such as conditional access controls for mobile apps.”

    Adopting mobile device management at the same time that DHS is migrating to the cloud means asking agency employees to adapt to a lot of change over a short period of time.

    “We’re throwing a lot at our users these days,” McCarty admits. “But the big benefit is that they now have an experience that’s more like they’re used to in their everyday lives, and they gain access to things they could never get to before on their mobile devices.” 

    MORE FROM FEDTECH: Discover how the Mine Safety and Health Administration has gone paperless. 

    SBA Provides Mobile Security for a Dispersed Workforce 

    With more than 2,000 permanent employees spread across 128 locations, the Small Business Administration has a workforce that’s not only diverse but also dispersed. That’s why the SBA relies on 2,200 agency-issued smartphones and some 400 portable Wi-Fi hotspots to keep everyone connected.

    Last year, the SBA moved from using only iPhones running on the AT&T network to a mix of iOS and Samsung Galaxy devices across the three major U.S. ­carriers, says Russ Miller, director of IT serv­ices. That allowed the agency to maximize coverage in remote areas not served by AT&T, as well as to run internal apps that were not iOS-compatible.

    The SBA also migrated from IBM MaaS360 mobile device management software to Microsoft Intune, and added Zimperium mobile device security to protect against malicious apps. 

    “We had a small library of apps our employees could access, but Zimperium let us enlarge that a bit more because it blocks the viruses and malware that can come with rogue apps,” he adds. “If you allow people to download any application they want, you open yourself up to a host of vulnerabilities and risks.”

    Using Intune allows SBA employees to securely access their Microsoft OneDrive accounts, which lets them read and edit files stored in the cloud from their phones.

    “That can be risky,” he adds. “But if you have the right security software on the phone, you can always remotely lock or wipe the device. If it gets lost or ­stolen, it’s a brick — it can’t be used.”

    MORE FROM FEDTECH: See how the Air Force secures and customizes its mobile solutions. 

    USDA Evolves Its Approach to EMM

    Miller says EMM software has evolved a great deal since the first solutions appeared.

    “Seven or eight years ago, most of the device management tools didn’t let you lock the device or secure the data you had on it,” he says. 

    “Today, if someone leaves the agency and has password-protected their device, we have to throw the phone away — even Verizon or AT&T wouldn’t be able to clear the device so we could reuse it.”

    Like DHS and SBA, the Agriculture Department has a mixed mobile environment, with more than 90 percent of its 32,000 government-issued mobile devices using iOS. And like those agencies, the USDA’s biggest security concerns center on application-based threats, says Frank Chad Hoeppel, ­acting associate CIO for the USDA’s Client Experience Center.

    USDA technicians
    USDA Animal and Plant Health Inspection Service Plant Protection and Quarantine technicians Bethany Benedict and Brendon Miller inspect an adhesive band used to sample insects in the area. The number of insects of interest that are stuck to the band are identified counted and the data is entered into a smart tablet. Photo credit: Lance Cheung/USDA

    The USDA has used MobileIron since 2013 to manage the devices, alongside Symantec-owned Appthority to screen apps for potential malware or vulnerabilities. 

    The department is currently implementing blacklisting and whitelisting capabilities to create a roster of third-party apps approved for business use, as well as finalizing its BYOD policies, Hoeppel says.

    “Five years ago, our mobile program provided email access to mobile devices,” Hoeppel says. “Today, using mature EMMs, we securely manage devices and provide a flexible suite of productivity applications to our employees, allowing them to work anytime, anywhere.”

    Adam Theo/Department of Homeland Security

    Become an Insider

    Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT