Security Manager's Journal: Siccing MDM on personal mobile devices

Their use has gotten out of control. And mobile device management will play well with newly deployed NAC.

We looked into mobile device management (MDM) in 2012, but the time didn't seem right. Now, some 18 months later, things have changed, and MDM is looking more like a good fit for us.

There's no question that we need better control over the plethora of personally owned mobile devices connecting to our corporate network and accessing applications that contain sensitive company data. Naturally, we have policies that forbid users from connecting a personally owned device to the corporate network, but they aren't enforced. As a result, we have too many personal iPhones, iPads, Androids and PCs on our network.

Back in 2012, we didn't feel that the MDM market was mature enough to fork over up to $300,000 per year to solve a problem that was somewhat mitigated by existing technology and processes. The mitigation came in part from the fact that users need a domain account to connect to our corporate wireless access points. We don't advertise the SSID and we have a strong password that enables encryption. But the "security by obscurity" approach only goes so far, and it didn't take long for employees to spread the word about how to connect personally owned devices to the corporate Wi-Fi network.

Moreover, we were using Microsoft ActiveSync to force a security policy to devices that were synchronized to obtain email. That served us well for several years, but in the current age, when mobile devices are being used to store and process ever more sensitive data, ActiveSync just doesn't scale or meet the heightened security requirements.

As I said, the MDM market just wasn't mature a year and a half ago. There was talk of buyouts, compatibility issues and a lack of features. We couldn't find enough satisfied customers to make the investment seem worthwhile.

Much Has Changed

Today, though, prices have dropped, and the market has matured. What's more, our recent deployment of network access control (NAC) technology should complement an MDM deployment.

NAC is aimed at the desktops on our network. We're still working out the kinks, trying to eliminate false positives and establish a process for exempting certain devices. When we do turn on enforcement and start blocking non-corporate devices, we want to use MDM as the control point for the identification of registered mobile devices.

MDM will help us enforce our current mobile device policy: We can set it to accept only "strong" passwords and to initiate device lock after a defined period of inactivity. We can also use it to wipe devices that go missing.

Even better, though, MDM will let us extend our policy to identify unlocked or jailbroken devices and require compartmentalization of data. (Compartmentalization involves the separation of personal and corporate data; it will provide some flexibility, so that when an employee leaves the company, we can wipe only our company's data and not any of the employee's personal data.) We can also create a corporate application store, which means that when an employee leaves, we can just wipe the data associated with those corporate apps, leaving personal apps alone.

So here's the vision: Once NAC and MDM are in place, we will be able to easily identify any unregistered devices and bar them from the network. If users want to register any of those banned devices, they will have to comply with the security policy in exchange for seamless access to our network and to certain applications.

I'll let you know how close we get to achieving that vision.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Join in the discussions about security!

Copyright © 2014 IDG Communications, Inc.

It’s time to break the ChatGPT habit
Shop Tech Products at Amazon