With more and more employees carrying smart devices, it’s natural for them to want to be able to use them for work. Bring-your-own-device (BYOD) programs and policies empower people to choose the best device to get their work done. Allowing employees to use their own mobile devices can also help businesses reduce hardware and service costs.
But corporate IT has a responsibility to protect corporate information wherever it resides. This includes employee-owned mobile devices.
The key is to find the right balance between corporate responsibility to keep enterprise data secure, and the employees’ expectations for a great user experience as well as the security and privacy of their own information.
It’s that last item, security and privacy of their own information, that tends more and more to be at odds with what has become corporate IT’s standard mobile security technology, Mobile Device Management or MDM. MDM can give corporate IT virtually total control over the mobile device, including the ability to track the mobile device as well as totally wipe all mobile device data – corporate as well as personal.
Employees perceive correctly that this gives corporate IT the ability to adversely affect the behavior of their device (e.g. force the use of a passcode, restrict App Store access, restrict apps, etc.). They may also perceive that this means IT has access to every aspect of their private lives including their location, personal email, text messages, music, videos, photos, etc.
Despite the fact that this might not always be the case, the old maxim “perception is reality” definitely applies here. This can stop a BYOD program dead in its tracks.
Traditionally deployed on top of MDM, Mobile Application Management or MAM provides more granular control over apps and data than MDM does by itself. MAM can also include an enterprise app store from which employees can download apps for enterprise use. MAM provides corporate IT with the ability to selectively wipe enterprise apps and data without affecting personal apps, data, etc.
All mainstream EMM vendors today have the ability to deploy MAM by itself, without MDM. But most of these vendors rely on MDM for the lion’s share of the security of their solution. In MAM-only mode, their solutions lack features like per-app VPN, encrypted storage, data leakage protection (DLP), open-in and copy/paste restrictions, and single-sign-on (SSO).
Citrix XenMobile, deployed in a MAM-First configuration, (deploying MAM by itself without MDM), provides the right balance. It provides corporate IT with the ability to securely manage enterprise apps and data without putting employee information and privacy at risk.
In a XenMobile MAM-First scenario, corporate IT does NOT have access to device details such as:
- Device Phone #
- Device IMEI
- Device Serial Number
- Device Location (unless the MAM policy is enabled to geofence a SPECIFIC app to a particular location, and the location is ONLY available when that app is in use).
- Device App Inventory – non-corporate apps that are installed on the device
- Device SMS/iMessages
- iTunes/iCloud information
- Device carrier information – carrier/SIM information/modem firmware
- Storage details (available vs used storage)
- Device PIN/encryption visibility
In a XenMobile MAM-First scenario, corporate IT cannot:
- Hide the “default” apps on the device
- Control the hardware (e.g. disable Bluetooth, camera, mic, etc.) when not running a business (MAM) app
- Wipe the device – MAM can only wipe the data for business (MAM) apps
- Lock/unlock the device – MAM can only lock/unlock at the app-level AND only on the business apps
Consider the following screenshots. The first screenshot shows the list of device properties available when the device is MDM enrolled. The second screenshot shows the device properties available in a XenMobile MAM-First configuration.
As you can see, much less device-specific information is available for MAM-First devices. This appeals to employees that have privacy concerns.
Also, the list of security actions on a MAM-First device is restricted to those actions that apply to corporate apps and data. Device-centric actions such as locking, tracking, or wiping the device aren’t available. This also appeals to employees concerned with protecting personal information and content on their devices.
Lastly, XenMobile offers over 50 different app management policies in a MAM-First configuration. None of these require MDM enrollment. Here’s a partial list:
|Micro VPN||Define maximum offline period|
|Encrypt local storage||Require regular re-authentication|
|Constrain clipboard cut and copy||Wipe data after security event|
|Constrain clipboard paste||Online access only|
|Constrain external applications||Constrain Wi-Fi networks|
|Constrain URL Schemes||Require internal network|
|Block camera||Constrain network access|
|Block microphone||App update grace period|
|Block screen capture||Require device encryption|
|Block email compose||Disable print|
|Require device pattern screen lock||Poison Pill|
|Require Citrix Worx Home authentication|
Clearly, with XenMobile, just because a device isn’t MDM enrolled doesn’t mean corporate apps and data can’t be secure.
Finding the right balance between corporate responsibility and employees expectations is the key to a successful BYOD initiative. XenMobile MAM-First provides the security that corporate IT requires without the heavy-handed approach to device management that employees fear. XenMobile provides the necessary toolset to enable businesses and employees to receive all of the benefits of a successful, well-adopted BYOD program.