Enterprise mobility management (EMM) is now widely adopted, with more than three-quarters of enterprises deploying the technology, according to IDC survey data. However, there are still roadblocks to end user adoption and penetration of the technology in terms of enrolled devices among users.
Organizations with bring-your-own-device (BYOD), choose-your-own-device (CYOD) and other user-centric models find it difficult to get more users with personal devices to enroll in EMM. To expand EMM to a broader set of employees, security teams need to move the control points of mobility away from device-level controls toward data- and app-centric controls with user identity as the linchpin.
Overcoming Mobile User Challenges With Enterprise Mobility Management (EMM)
Enterprises have many common pain points around mobile security, privacy, ownership and overall usage of mobile devices across industries and regions. Device choice is now the norm in the majority of enterprises, encapsulating device ownership models (corporate-liable versus BYOD) and the types of devices that are used between these two approaches. With increased user choice and autonomy comes an increased perception of ownership and expectations of privacy — not to mention an increased level of security risk to the enterprise.
The top challenge enterprise IT teams say they face in terms of getting more devices enrolled in an enterprise mobility management or mobile device management (MDM) solution is user resistance. According to IDC’s “2018 Enterprise Mobility Decision Maker Survey,” 48 percent of firms cited this as the top issue as to why mobile devices are not enrolled in EMM/MDM platforms (regardless of whether the devices are company-owned or personal).
For BYOD users and, increasingly, users of general-purpose, corporate-liable smartphones, expectations of privacy and device autonomy and ownership are growing. When employees use personal smartphones for work, they typically resist enrolling them into MDM platforms unless absolutely necessary. This can work to an extent, if only email and some basic mobile apps are used. However, if BYOD mobile workers need deeper access to more complex or specialized platforms, EMM/MDM is often the only choice.
Moving Security From Devices to Apps and Data
Mobile app management (MAM) is an EMM subsegment and feature. MAM puts the control and policy enforcement points at the app or software level, as opposed to relying on device-level or hardware/OS-based controls. MAM solutions can include containers — which put a secure wrapper or management framework around a set of apps on a mobile device (e.g., email, calendar, contacts) — and allow a business to provision, revoke, control and manage all data and the presence of the app on a user’s device.
MAM especially benefits BYOD-centric enterprises by focusing security, policy enforcement and controls on apps as opposed to the device itself. Employees using their own devices for work have a personal stake and relationship with the hardware/device itself; there is less of a strong feeling of ownership or autonomy over apps used for work. Employees understand IT has the right to provision, control and secure such apps and data. This dynamic makes MAM a powerful tool in securing and managing corporate data and apps while still allowing for ownership and control of worker’s personal devices.
Data classification and data loss prevention (DLP) are other key aspects of MAM- and data-centric mobility management. Data classification involves identifying sensitive data assets and files accessed by mobile apps. DLP is the creation of polices that prevent access to data or actions such as copy/paste, download and other types of usage of sensitive information. This is critical in mobile device use cases involving access to medical data, financial information or sensitive IP.
Conditional access is another key control point in a management framework that is not device-centric. Conditional access is the ability to allow mobile app and device users to access certain types of data and apps, only if certain conditions exist. This could include requiring users to be on a trusted Wi-Fi or cellular network serviced or to be physically located in a certain region or office location.
Identity and Role-Based Security
When security and management are tied to apps and data, the user identity, as opposed to a device identifier (such as International Mobile Equipment Identity or an embedded certificate) takes a more prominent role. Identity platforms can exist anywhere from on-premises directories to software-as-a-service SaaS app identity and access controls. Enterprise app platforms tie into identity to centralize access rights, roles, privileges and other capabilities across platforms.
Identity integration for mobility management is also important for bridging on-premises and cloud apps and data assets. Apps and services can live behind a corporate firewall on-premises, requiring virtual private network (VPN) access, while others services might be cloud or hybrid cloud apps. Identity-based controls tied to MAM- and app/data-centric security polices can ensure that user experiences, as well as policy and enforcement, are consistent across these environments.
Many organizations are moving toward unified endpoint management (UEM), which converges mobile and PC device, app, and service management and security. More than two-thirds of enterprises said they will be on UEM platforms in the next five years. Identity and app-based controls will be an important integration point for businesses looking to deploy common management policies, security controls and other settings across multiple device types and form factors. While device management and control will be a component of UEM, app-centric and identity-based technologies will be most critical for success.
Expanding the reach of mobility management in an enterprise to personal devices — and to cloud-based applications and external SaaS platforms — requires an EMM solution that moves beyond device-level controls, with a focus on apps, data and identity as key control points.