Mobile Device Management Guide for MSPs
Mobile devices are integral to the operations of many businesses. More than two-thirds of employees use mobile phones to help do their jobs, and 21 percent rely on corporate mobile apps that are specific to their department or business unit.
Given the central role that mobile devices play for modern businesses, managing mobile hardware is just as important as is managing the rest of a business’s infrastructure. For MSPs, this means that there is a rich opportunity to offer mobile device management, or MDM, services to clients.
This article explains what MDM means, why mobile device management for MSPs is a valuable option, and how MSPs can build managed services around MDM.
What Is MDM?
Mobile device management is the process by which businesses (or the MSPs that support them) keep mobile devices secure and functional. MDM allows employers to keep track of the mobile devices being used on their network -- including those that are owned by the company, as well as any personal devices that employees use -- and to take reasonable measures to secure the data and network operations of those devices.
MDM is based on a mix of policy that designates what employees can and can’t do with mobile devices on a company’s network, as well as software that allows IT stakeholders to monitor devices within the network.
Why Is MDM Important?
An effective MDM solution resolves several risks for employers:
- Sensitive-data exposure: MDM helps to identify devices that may contain sensitive corporate data so that the data can be properly secured.
- Device theft: If a mobile device is stolen, not only can attackers access sensitive data stored on it, but they could potentially use stored log-in information to gain access to the corporate network. MDM ensures that stolen devices can be quickly identified and then blocked from the network.
- Malware control: MDM helps to mitigate the risk that mobile devices will become infected with malware and then spread it to the rest of the network.
- Compliance: For businesses subject to specific compliance requirements, MDM enables devices to be audited for compliance. It also simplifies the resolution of compliance issues via centralized software updates and access control.
Beyond eliminating the risks described above, MDM provides additional benefits:
- Increased network security: By controlling mobile devices and protecting them against malware, MDM increases the security of the overall network on which they operate.
- Ease of remote management: A centralized MDM software solution helps admins manage mobile devices remotely, without having to gain physical access to each device in order to audit it for security risks, install software, and so on.
- BYOD support: MDM makes it practical to allow bring-your-own-device, or BYOD, policies. (For more on BYOD, see below.)
- Controlled device updates: With MDM, admins can specify when devices should be updated or replaced.
- Reduced IT administration costs: MDM helps to simplify mobile-device support operations, which in turn reduces the time and money spent on this IT operation.
Mobile Device Policies: BYOD vs. CYOD vs. COPE vs. COBO
There are several approaches that companies may take when deciding how to integrate mobile devices into their infrastructure:
- Bring your own device (BYOD): Employees use personal devices on the network. This approach saves the company money, because it does not have to pay for the devices, but there are increased risks associated with security. In addition, it may be harder to manage devices, because of a lack of uniformity across them.
- Choose your own device (CYOD): The company allows employees to decide which devices they want, then provides them to employees. This approach can reduce security risks because devices are controlled by the company from the outset. However, there may still be a lack of uniformity, especially if employees are allowed to select from a long list of devices.
- Company-owned, personally enabled (COPE): Under this method, the company provides devices for work purposes but permits employees to use them for personal reasons as well. This approach provides flexibility to employees while increasing device uniformity and security.
- Company-owned, business only (COBO): The company provides the devices, and employees may use them only for business. This policy provides the least flexibility to employees, in return for the highest level of security and uniformity.
In some businesses, mobile device policies may vary between departments, or between employees of different ranks. As an MSP, your job should be to help guide your clients as to which policy is the best for their needs, as well as to help them understand the risks and trade-offs of the option they choose.
MDM and User Privacy
In addition, MSPs should educate clients on user privacy issues at stake on mobile devices. If a client adopts a mobile device policy that allows employees to use a device for both personal and business reasons, and you manage the device for the company through an MDM service, you may end up collecting personal data about the employee or at least having access to it. For example, your MDM tools may track the location of the device, and have access to personal texts or photos.
This is not inherently problematic, but your clients should be aware of the privacy considerations surrounding MDM. In some cases, it may be necessary to consult legal counsel in order to make sure you don’t run foul of compliance issues or local laws.
You should also make it clear to employees which data you can access on their mobile phones, and explain how they can avoid storing personal data on their phones. Obviously, the best way to avoid these issues is simply to avoid using the same device for personal and business use. But, if that is not possible, there are other steps employees can take to mitigate the exposure of their personal data. For example, if they don’t want their personal photos to be accessible to your MSP MDM solution, they could configure the device so that photos are only stored in a third-party cloud service, rather than being saved locally.
Building an MSP Mobile Device Management Offering
Because of the privacy challenges associated with MDM, as well as the complex set of mobile device policies that companies may use, MSPs have an opportunity to deliver valuable managed services by offering not just technical MSP mobile device management solutions, but also the education, monitoring, reporting, and support that clients need to navigate the mobile landscape successfully.
Toward that end, an MSP mobile device management solution should include:
- Protocols that establish how mobile devices may be used in your client’s workplace.
- MDM software that allows you to keep track of mobile devices within the workplace, conduct audits, and enforce compliance with the policies you set.
- Protection of sensitive data stored on mobile devices. This service may include securing data on the devices themselves, as well as mobile data backup and recovery services.
- Mobile device support, to the extent that you wish to provide it. There can be some nuance here; for example, you could offer support for company-owned devices but not for devices that are personally owned by employees. You could also opt not to provide mobile support services at all, and instead direct clients to the mobile vendors for support.
Selecting MSP MDM Software
When it comes to choosing the MDM software that you use as the basis for an MSP MDM offering, there are several factors to weigh:
- Hosting model: Ideally, you’ll choose a cloud-based, SaaS MSP mobile device management tool that provides automatic updates and simple deployment.
- Remote access: The tool should allow you to access and configure mobile devices from anywhere, so you don’t need to worry about gaining physical access to each one. You should also be able to disable devices remotely.
- Security policies: Look for solutions that allow you to set network-wide mobile security policies, such as requiring passcodes and blacklisting devices.
- Geofencing: This feature lets you restrict access to data and applications based on the location of a mobile device.
- Logging and reporting: The ability to log the activity of mobile devices within a network and generate reports is critical for auditing and visibility purposes.
Alerts: You should receive alerts when a device is subject to actions like jailbreaking or rooting.
- Scalability: You want to be able to deploy the solution across an existing network of devices quickly, as well as to add new devices easily.
Popular MSP MDM software tools are available from vendors such as Sophos, ConnectWise, MaaS360, Intune, and Miradore, among others.
Further reading 5 MSP-Friendly MDM Solutions
Also, you can learn more about other MSP software and hardware tools that should go into an MSP's technology stack.
Effective mobile device management is challenging. For MSPs, that’s a good thing, because it means they can bring value to their clients (and increase their own revenues) by building solid MSP mobile device management solutions. To deliver the greatest value, be sure that those services include not just MDM software, but also the guidance, policy enforcement, and other solutions that clients require in order to address all aspects of MDM.