designsoliman - Fotolia


Evaluate the three EMM security options: MDM, MAM and MIM

There is more to EMM security than meets the eye. When it comes to safeguarding corporate devices, IT should consider all three EMM components: MAM, MDM and MIM.

Enterprise mobility management involves more than just security; but that security, as it pertains to sensitive enterprise data, should be at the forefront of IT administrators' minds when it comes to managing mobile devices.

Of course, any comprehensive enterprise mobility management (EMM) strategy ensures the security of all enterprise mobile devices and often incorporates a mix of administrative techniques, including mobile device management (MDM), mobile application management (MAM) and mobile information management (MIM).

Each technique takes a different approach to EMM security, though, and the way admins incorporate them into an EMM strategy will depend on a number of factors. For example, IT must take into account whether they'll be supporting BYOD, corporate-owned, personally enabled devices, or both. Either way, the goal remains the same: to prevent sensitive enterprise data from leaking out of its secure domain.

MAM security

Although MDM provides a powerful tool for IT to control mobile devices, few BYOD users welcome such control, even if they're using their devices to do work. For this reason, many organizations turn to MAM in place of or in conjunction with MDM.

These days, most MDM products provide at least some MAM security capabilities.

MAM involves managing and securing line-of-business (LOB) apps and data, without interfering in how users interface with device features and personal information. Users can still snap pictures or connect their Bluetooth headsets or access Dropbox or send texts, as long as they use the LOB apps only as intended.

IT can use MAM to control which LOB apps users can run on their devices, based on the types of users and what they need to do their jobs. IT can deploy apps, configure user settings, apply digital signatures, update apps or disable them.

Mobile operating systems such as iOS 7 or later include an MDM platform that supports MAM capabilities IT can use to manage any type of app. Other tools use such technologies as app wrapping or containerization to isolate specific apps. Regardless of the approach, the goal for IT is to manage and secure LOB apps without interfering with personal operations, while ensuring that the sensitive data associated with the apps remains protected.

MAM allows IT to encrypt app-specific data without touching personal information and control how data is shared among apps. For example, IT can configure a LOB app to prevent users from copying data from a managed app to a personal app, or from printing the particular app's data.

IT can require users to provide a passcode for accessing an app, even if they don't use a passcode to access their devices. MAM helps secure communications between an app and other services, providing support for such technologies as per-app virtual private network (VPN) or single-sign on between the app and back-end resources.

Clearly, MAM offers a number of benefits when it comes to managing mobile apps. However, there might still be circumstances when IT wants to ensure security at the device level. Fortunately, MDM and MAM are not mutually exclusive. These days, most MDM products provide at least some MAM security capabilities; many products that started out as MDM offerings have added MAM support.

Pop quiz: Mobile app development strategy

A mobile app development strategy is a key first step on the road to a successful mobile app launch for your business. Test your knowledge with this quiz to see if you're ready.

MDM security

MDM controls the mobile device as a whole. For example, IT can prevent users from enabling Bluetooth or accessing their cameras. IT can also require managed devices be fully encrypted and automate certificate enrollment to secure certain types of communication, such as Wi-Fi or VPNs.

MDM can also be instrumental in implementing and managing remote protections. Admins can implement policies to enforce password or PIN protections or to lock the device after a specified number of login attempts. IT can also carry out remote actions, such as locking devices, resetting passcodes, deprovisioning devices or wiping all or part of the data, should a device be lost or stolen.

Another advantage to MDM is the ability to centrally manage devices, often in conjunction with other enterprise systems, such as Active Directory. Admins can set up security policies based on the types of users and their locations, thereby ensuring that only authorized individuals have access to certain apps and data.

The centralized management also makes it possible for IT to keep devices updated so they always have the latest security patches, and to install and manage malware on the devices. Some MDM tools provide IT with the ability to push out notifications to the managed devices or enable users to securely message each other.

Plus, a centralized MDM tool provides a mechanism for monitoring the managed devices and determining whether any have been rooted or jailbroken. IT can also use MDM to maintain detailed inventories of the devices and track devices with GPS.

MIM security

MIM is the final piece of the EMM security puzzle, working in conjunction with MDM and MAM to securely transmit sensitive data and ensure that only approved users and applications can access it.

MIM includes a data encryption component as well as the authorization/authentication processes necessary to ensure secure access, regardless of the types of devices or applications. MIM might also include data synching and management capabilities, as well as data movement monitoring.

With MIM, IT has granular control over who can access the data along with the ability to implement features such as multifactor authentication, strong passcode enforcement and geographic-based access. MIM also gives IT control of data movement through such features as push-based file distribution and automatic file synchronization, plus remote wipe capabilities.

An EMM tool that includes MIM allows admins to address compliance and regulatory issues, which can be an important factor in determining organizational security needs.

Those considering MDM, MAM and MIM for addressing mobile security must also think about the big EMM security picture and the type of devices and apps that need supporting. The best approach may be a mix and match of all three management options.

Next Steps

Five ways EMM can lock down mobile data

EMM security features that save the day

Top features to look for in an EMM tool

Dig Deeper on Mobile security

Unified Communications