Apple Business Manager Understand how UEM, EMM and MDM differ from one another

How to successfully implement MDM for BYOD

It's not easy to implement MDM in BYOD environments. IT should communicate with end users to set expectations about what personal information the MDM platform can and cannot track.

Due to advancements in OS features and mobile device management platforms, it is possible to implement a BYOD policy that meets the productivity and privacy needs of users without compromising on data security -- but it requires considerable planning.

When organizations introduce unified endpoint management (UEM) and mobile device management (MDM) for BYOD, it becomes even more difficult. It is possible to balance the needs of the company with the needs of the user, however.

To deploy a successful BYOD initiative, IT admins must properly devise the MDM policies that they apply to devices and ensure that employees understand clearly what the implications of these policies are. Some organizations, for example, offer a stipend or other method of reimbursing the costs of device use, while others only permit app access and do not pay users' expenses.

Set expectations, alleviate end-user concerns

Whichever BYOD model an organization adopts, it must set expectations to the users in advance so that users can operate according to the agreed-upon system. Friction occurs when users present a bill for expenses and find out that they are not entitled to claim it, having understood that they would be reimbursed.

End users are often happy to comply with policies once they know in advance what they are signing up for. If administrators say that they cannot see certain features and break that trust, the policy is destined to fail. To successfully implement MDM for BYOD, an organization should alleviate common user concerns, such as:

Can MDM track browser history? No, but MDM can be used to deploy over-the-top services that can redirect, control and monitor traffic, both SIM-based and over Wi-Fi. Organizations that do this should make users aware of it and consider a separate policy for BYOD users.

Combine UEM with BYOD

Can MDM read text messages? Not on iOS, as Apple has not provided any hooks for MDM to do this, even with supervised devices. It is possible on some versions of Android, but IT will rarely deploy native controls for reading text messages. Text messages can be routed to corporate email archives. Most messaging apps deploy end-to-end encryption on messages, which renders the contents inaccessible to IT departments.

Highly regulated organizations can deploy third-party products to record business information, but this should be clearly communicated to users, and usually leaves an unscreened area for personal communications. Companies that are required to record such communications usually don't allow BYOD for regulated users, as the balance between user privacy and compliance is difficult to implement.

End users are often happy to comply with policies once they know in advance what they are signing up for.

Can MDM track location? Yes, and it can even prevent the user from disabling location services once enrolled in MDM. Most MDM platforms, including VMware AirWatch by Workspace One, IBM MaaS360, MobileIron and others, have privacy settings to prevent location tracking of BYOD devices. IT departments should always be clear on whether this is being tracked for all groups, specific users or not enabled.

Can MDM platforms see which applications are installed on a user's phone? Typically, the MDM platform takes application inventory once users enroll their devices. Using privacy settings, IT departments can opt not to see this or to only see line-of-business apps that have been deployed from an in-house app store. Restricting visibility is a good idea, as personal apps can reveal health, religious or sexuality information that IT departments should avoid wherever possible.

What happens with MDM for BYOD if an employee leaves the company? When an employee leaves the company, his or her device is typically retired from the corporate MDM or enterprise mobility management. All company apps and data are purged from the device, while personal information remains intact. A good BYOD policy will strictly segregate business information from personal to protect the organization, but when it comes to offboarding, this also benefits the user. Retiring devices is often referred to as a selective wipe; during this process, IT should also revoke any credentials the user had to access corporate apps. MDM platforms such as VMware AirWatch by Workspace One and MobileIron offer protection against factory reset for devices flagged as personally owned, so that they will never be accidentally wiped.

Balance security, privacy

Organizations can implement BYOD policies using different approaches. Organizations should always keep business information from leaking out to personal cloud storage or anywhere that is beyond the reach of IT departments. Some MDM platforms, such as MobileIron, offer a wrapping service for apps, while others such as VMware Workspace One deploy separate workspaces. Android Enterprise offers a work profile that IT can manage, while the rest of the device remains available for personal use.

Even if an organization allows personal devices to access corporate resources, it should establish certain baselines to maintain security. Organizations should support a minimum OS version to ensure that devices receive recent patches and address known vulnerabilities. For Android, it is worth restricting handset types to reputable manufacturers; Google provides a list of Android Enterprise Recommended devices. To make the list, manufacturers must commit to service-level agreements for releasing patches and ensure that the devices will have access to several OS upgrades.

The latest versions of iOS and Android have included advancements in user privacy while allowing companies to determine that the posture of all devices is secure. Apple introduced user enrollment with iOS 13, which keeps personal details such as device serial number and IMEI private, but allows IT to deploy and manage apps within a dedicated device partition. Android 10 (Q) can enforce a minimum strength unlock code, block unknown sources from installing apps and determine whether users can sync personal calendars with work calendars.

Dig Deeper on Unified endpoint management

Virtual Desktop