Pavel Glukhikh
IT Professional
Mobile Device Management is NOT Your Enemy
There are a lot of articles out there telling bring your own device (BYOD) users to remove anything work related from their personal devices. Not only are these articles being written by non-technological, privacy centered individuals, but often the advice provided by them is inaccurate. I’m here to separate myth and fiction from fact. I have administered mobile device management (MDM) systems for both iOS and Android devices in multiple enterprise environments, using multiple tools and multiple vendors. These days, many MDM vendors provide solutions that have various special features and management options, but almost all of these system have a few things in common: A device can be remotely located an have it’s content erased if it is lost or stolen. GPS, WiFi, and LTE are leveraged for communication with the device. Windows Phone, iOS, Android, Mac, and Linux are all supported. Software on the device can be managed, pushed, uninstalled, updated, and secured. Some SIM or eSIM management capability (usually used for service provisioning). Some more advanced MDMs can take pictures with the phone’s camera. Corporate services, connectivity, VPN, and certificate management.
As you can see, MDM is a powerful tool that allows for remote management. This is usually what what scares users. They want their privacy and do not want their employer to have any kind of access to their device. These security concerns usually start with someone saying “I don’t want them to tack my phone”. Here is the full picture that your IT department doesn’t tell you. This is why you should not be afraid of advanced MDM features: This is probably one of the most important reasons: your device has something called management channels. These are basically compartments where data resides on the device and the cloud. These compartments keep your data, services, and applications separate from the corporate-installed stuff. The MDM usually establishes this channel structure (but this can also be done by the phone itself). So if a data wipe needs to be done, only the channel managed by the MDM (the corporate channel) gets wiped.
In most cases, in order to preform any kind of device tracking or anything that would compromise privacy, many actions must first be taken. Firstly, even as an MDM admin I was not able to access features such as locate and remote wipe. In order for a device to be located, a lost device process had to be started, and locating and sending remote commands was done by someone from the enterprise security team. This is a team that was not even allowed to disclose the color of their desk, let alone any user data. Even their NDAs had NDAs. Newer MDM systems are not MDMs at all. Instead, only a single application is secured. This can be seen with the newer versions of the Microsoft Office 365 Outlook app for Android and iOS. Companies can configure the email system so that when a user add corporate email to their device, the email application automatically gets certain policies such as enabling face ID on newer iPhones and iPads and biometrics on Android. This also allows the user to add the account themselves, without IT help, and to sign in only a single time. Should an issue occur with the device, an administrator can de-provision (remove) the email account and corporate data off the device without affecting anything else. Another advantage is the device does not even have to be online for this to happen. MDMs add security to your device. It forces you (most times) to create stronger passwords, use 2 factor authentication, and use biometrics for login. It also adds device and email encryption, and allows a device to be located and wiped of any sensitive data if lost or stolen.Finally, a device managed by MDM can be kept up to date with the newest versions of software packages. Most users just skip updates and do not consider them important. But, consider this: when the Facetime vulnerability was discovered (the one that allowed people to remotely view your webcam without accepting calls), MDM subscribers were one of the first groups of users to receive a fix. This occurred in a matter of hours and prevented any breaches or data leaks. There is also the work / life balance issue. Many users argue that having anything work related on your personal devices means that you are a workaholic and interferes with your personal life. This is not true at all. A lot of new companies and roles are now requiring administrators and staff to be online or available even while out of the office. Then, you have people such as myself that expect you to be available at any time of the day. For example, if I am working on a time-sensitive project or I paid for something, I expect the person I need to be online. Many people go off on vacation, or somewhere and claim they don’t have access to email or any communication systems and essentially become unreachable. My number one rule is never be unreachable. With 4G LTE, satellite phones, wireless modems and many other communications mediums out there, there is no excuse for being unreachable.
Lastly, always being available and having work resources on your phone shows that you are dedicated to the company and may actually earn you some points with management, and if it doesn’t then it won’t hurt you either. So, to all of the people out there telling users to delete their work resources off their phones: STOP. If you are not qualified to be discussing IT topics, then don’t discuss them. (15 minutes of Googling does not make you qualified by the way). Stop adding fuel to the privacy fire and spreading lies about work email and mobile resources. Thank you for reading. Please applaud and comment. I value all questions and comments.
~Pavel