2. How Can We Balance Agency Security and Individual Privacy with MDM?
For agency-owned devices, there’s no conflict: Don’t give up security on an agency laptop just because someone might also want to do some occasional online shopping from the same device. For BYOD, think of MDM as an agreement with end users: In exchange for control over some aspects of their mobile devices, they get the convenience of accessing sensitive information on their own phones. If they’re uncomfortable with that deal, they can decline to participate in MDM, but they also won’t be able to connect to agency-trusted networks or information systems.
3. Where Do I Start When Defining Policy? MDM Gives Me Too Many Settings.
Focus on MDM policy elements with a direct impact on overall security: device lock, app store access, password and biometric policies, and software patch and update settings. Those get pushed immediately to everyone. Then, divide users into groups in the MDM console, including a group of early adopters outside of IT. Slowly incorporate additional MDM policies by pushing to early adopters first, then roll out agencywide once you are confident there are no negative side effects.
LEARN MORE: 3 areas of focus for protecting federal IoT devices.
4. Deployment Looks Like a Nightmare. I Don’t Want to Touch Every Mobile Device.
Investigate “zero-touch” programs for agency devices. With both Apple and Android, hardware resellers like CDW coordinate with hardware vendors so that devices automatically “know” they’re part of the agency and preload basic configurations (including MDM enrollment) when they are first turned on and after a factory reset. This cuts deployment costs while increasing security for lost or stolen devices.
5. How Do I Handle Devices with Old Software?
MDM works with a broad range of devices and OS versions, but old devices and old software can be a problem. However, smartphone software is constantly under attack, so keeping devices patched and updated should be part of agency security policy. Any device so old that it can’t run MDM software shouldn’t be handling sensitive data in the first place.