Enterprise mobility management (EMM) is now widely adopted, with more than three-quarters of enterprises deploying the technology, according to IDC survey data. However, there are still roadblocks to end user adoption and penetration of the technology in terms of enrolled devices among users.

Organizations with bring-your-own-device (BYOD), choose-your-own-device (CYOD) and other user-centric models find it difficult to get more users with personal devices to enroll in EMM. To expand EMM to a broader set of employees, security teams need to move the control points of mobility away from device-level controls toward data- and app-centric controls with user identity as the linchpin.

Learn about IBM’s industry-leading approach to EMM

Overcoming Mobile User Challenges With Enterprise Mobility Management (EMM)

Enterprises have many common pain points around mobile security, privacy, ownership and overall usage of mobile devices across industries and regions. Device choice is now the norm in the majority of enterprises, encapsulating device ownership models (corporate-liable versus BYOD) and the types of devices that are used between these two approaches. With increased user choice and autonomy comes an increased perception of ownership and expectations of privacy — not to mention an increased level of security risk to the enterprise.

The top challenge enterprise IT teams say they face in terms of getting more devices enrolled in an enterprise mobility management or mobile device management (MDM) solution is user resistance. According to IDC’s “2018 Enterprise Mobility Decision Maker Survey,” 48 percent of firms cited this as the top issue as to why mobile devices are not enrolled in EMM/MDM platforms (regardless of whether the devices are company-owned or personal).

For BYOD users and, increasingly, users of general-purpose, corporate-liable smartphones, expectations of privacy and device autonomy and ownership are growing. When employees use personal smartphones for work, they typically resist enrolling them into MDM platforms unless absolutely necessary. This can work to an extent, if only email and some basic mobile apps are used. However, if BYOD mobile workers need deeper access to more complex or specialized platforms, EMM/MDM is often the only choice.

Moving Security From Devices to Apps and Data

Mobile app management (MAM) is an EMM subsegment and feature. MAM puts the control and policy enforcement points at the app or software level, as opposed to relying on device-level or hardware/OS-based controls. MAM solutions can include containers — which put a secure wrapper or management framework around a set of apps on a mobile device (e.g., email, calendar, contacts) — and allow a business to provision, revoke, control and manage all data and the presence of the app on a user’s device.

MAM especially benefits BYOD-centric enterprises by focusing security, policy enforcement and controls on apps as opposed to the device itself. Employees using their own devices for work have a personal stake and relationship with the hardware/device itself; there is less of a strong feeling of ownership or autonomy over apps used for work. Employees understand IT has the right to provision, control and secure such apps and data. This dynamic makes MAM a powerful tool in securing and managing corporate data and apps while still allowing for ownership and control of worker’s personal devices.

Data classification and data loss prevention (DLP) are other key aspects of MAM- and data-centric mobility management. Data classification involves identifying sensitive data assets and files accessed by mobile apps. DLP is the creation of polices that prevent access to data or actions such as copy/paste, download and other types of usage of sensitive information. This is critical in mobile device use cases involving access to medical data, financial information or sensitive IP.

Conditional access is another key control point in a management framework that is not device-centric. Conditional access is the ability to allow mobile app and device users to access certain types of data and apps, only if certain conditions exist. This could include requiring users to be on a trusted Wi-Fi or cellular network serviced or to be physically located in a certain region or office location.

Identity and Role-Based Security

When security and management are tied to apps and data, the user identity, as opposed to a device identifier (such as International Mobile Equipment Identity or an embedded certificate) takes a more prominent role. Identity platforms can exist anywhere from on-premises directories to software-as-a-service SaaS app identity and access controls. Enterprise app platforms tie into identity to centralize access rights, roles, privileges and other capabilities across platforms.

Identity integration for mobility management is also important for bridging on-premises and cloud apps and data assets. Apps and services can live behind a corporate firewall on-premises, requiring virtual private network (VPN) access, while others services might be cloud or hybrid cloud apps. Identity-based controls tied to MAM- and app/data-centric security polices can ensure that user experiences, as well as policy and enforcement, are consistent across these environments.

Many organizations are moving toward unified endpoint management (UEM), which converges mobile and PC device, app, and service management and security. More than two-thirds of enterprises said they will be on UEM platforms in the next five years. Identity and app-based controls will be an important integration point for businesses looking to deploy common management policies, security controls and other settings across multiple device types and form factors. While device management and control will be a component of UEM, app-centric and identity-based technologies will be most critical for success.

Expanding the reach of mobility management in an enterprise to personal devices — and to cloud-based applications and external SaaS platforms — requires an EMM solution that moves beyond device-level controls, with a focus on apps, data and identity as key control points.

Learn about IBM’s industry-leading approach to EMM

More from Endpoint

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

When the Absence of Noise Becomes Signal: Defensive Considerations for Lazarus FudModule

In February 2023, X-Force posted a blog entitled “Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers” that details the capabilities of a sample attributed to the Lazarus group leveraged to impair visibility of the malware’s operations. This blog will not rehash analysis of the Lazarus malware sample or Event Tracing for Windows (ETW) as that has been previously covered in the X-Force blog post. This blog will focus on highlighting the opportunities for detection of the FudModule within the…

Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space

View Part 1, Introduction to New Space, and Part 2, Cybersecurity Threats in New Space, in this series. As we see in the previous article of this series discussing the cybersecurity threats in the New Space, space technology is advancing at an unprecedented rate — with new technologies being launched into orbit at an increasingly rapid pace. The need to ensure the security and safety of these technologies has never been more pressing. So, let’s discover a range of measures…

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…