Best Mobile Device Management (MDM) Solutions Buying Guide

A mobile device management solution can ensure any mobile devices used in your business are robust and secure. This buying guide breaks down everything you need to know to choose the right software for your company.

The rapid proliferation of corporate- and user-owned devices in the workplace means businesses need to beef up their support infrastructure sooner than later. Mobile device management (MDM) is the primary software solution for managing and securing company data and applications that are used on the many mobile endpoint devices that go in and out of your organization. MDM platforms give you a central interface to interact with the data on your company's mobile devices as well as your employees' personal devices, which are typically enrolled in the platform when staffers are hired.

Enterprise mobility management (EMM) is another form of endpoint management that usually refers to a larger suite of tools. Today, EMM solutions typically include MDM, mobile application management (MAM) and mobile content management (MCM) capabilities, each of which addresses specific concerns regarding managing mobile devices, applications and content. Other common EMM capabilities include an app store and productivity apps, a secure browser, email management, reporting, and analytics. Some products even offer identity and access management (IAM), single sign-on (SSO), and threat protection. [Related article: Why You Should Consider Cloud-Based Access Control]

These are some of the financial benefits of MDM and EMM tools:

• Enhanced IT access control, including remote monitoring, configuration and app deployment
• Enhanced security, including policy enforcement, blacklists/whitelists and password management
• Protection against data breaches, including remote lock and wipe capabilities for lost or stolen devices
• Logging and reporting capabilities for compliance purposes
• Data protection, backup and restore functionality for corporate data
• Improved productivity for end users

FYI: Whether your company data is stored on in-office equipment or mobile devices, it's wise to invest in one of the best cloud storage and online backup systems.

Most MDM vendors charge annually per device, but some offer a per-user option, where the price is a bit higher but includes an unlimited number of devices per user. This option is ideal for organizations that are supporting "bring your own device" (BYOD) programs or mixed environments.    

Several vendors have additional support/maintenance/software update fees that are separate from the device/user fees. Some also offer a perpetual device fee with an annual support/maintenance fee. Additionally, many MDM solutions are part of a bigger bundle or package that might include a separate license.  

Your first step should be to get an accurate quote from a vendor and perform a cost analysis that takes into consideration not only the MDM fees, but also the management costs associated with implementing and supporting the solution. Consider what the implementation will require and if the vendor is helping in any way. Determine how many people you'll need in each role during the transition and how much time you'll need them for. Then include these costs in your analysis.  

More advanced EMM platforms that feature an entire suite of endpoint management tools are more likely to have different tiered plans and will likely work with your company to come up with a quote based on your exact needs.

As you research and shop for an MDM or EMM solution, it's important to know exactly what your organization's needs and use cases are for such a platform. There are several features and prerequisites you should keep in mind and make sure the service you select has. 

Supported operating systems and platforms

MDM suites usually support a subset of all available operating systems and platforms. Operating systems are the software the device uses, while the platform is the type of device, such as a mobile phone, tablet computer or laptop computer.

Major mobile device OS options include Android, iOS (Apple) and Windows Mobile. Major computer OS options include Windows, Mac OS X, Linux and Chrome OS. Based on the devices your employees regularly use, you can decide which ones you want to allow in your network.

Security features

While all MDM vendors will tout their security features, there are a few essential ones to recognize and require for your own company's safety and ongoing security efforts:

• Mandatory password protection
• Jailbreak detection
• Remote wipe
• Remote lock
• Device encryption
• Data encryption
• Malware detection
• VPN configuration and management
• Wi-Fi configuration and management

Enterprise app integration

You don't want to commit to a tool that doesn't fit in with what you already use. Examine your MDM prospects with a discerning eye when it comes to integration with your existing enterprise applications, such as active directory/LDAP, Microsoft Exchange, web-based mail, cloud services and backup/restore.

End-user support

Unless you have the resources and the desire to provide 24/7 support for your mobile users, you should find out if your MDM suite comes with a self-service portal, help desk and multi-language support.

Management and reporting features

Before purchasing an MDM suite, you should find out what's offered for management and reporting. Administrators will need a robust management interface to monitor, patch and track managed devices. For reporting, you should look for device-level analytics, alerting options and a real-time dashboard so that you can scan the number and health of your MDM efforts. Check on the type and the extent to which there is any third-party management software integration available for your suite.

Demos

The key to purchasing an effective MDM solution is to "try before you buy." Most vendors have limited device demonstration software you can use for an evaluation period. Include anyone on your technical team who will be using the software so they can fully vet the suite and its features. There are plenty of MDM suites that provide you with the protection you need, give your employees the freedom they want and have the features that matter. It will just take research and hands-on experimentation to determine which is best for your business.

MDM is a crucial component in any company's security framework but is even more essential in today's era of distributed workforces. As more companies offer the option of a fully remote or hybrid work arrangement, MDM provides peace of mind that company data is safe no matter where employees are working. [Learn how to create a remote work plan for your business.]

Ever-evolving mobile technology gives employees the ability to access a company's files, intranet, email, SharePoint and more right at their fingertips. With a proper MDM program, your company's IT department can centrally manage all devices when problems arise, such as viruses and malware. For example, if an employee loses their phone, MDM systems can wipe the phone and set up another device using backup data.  

Tip: Even with mobile devices, you can use tools to track productivity and monitor employee workflow remotely.

Tracking mobile devices: Asset management 

The first step to managing mobile devices in your enterprise is ensuring you have an accurate inventory of devices using your infrastructure. Inventory and asset management features can help you identify the number and types of devices on your network. Asset management features should include the ability to register devices, query for device configuration and report on the status of devices. For example, you should be able to generate reports on the number of mobile devices registered, the types of devices present, and the operating systems and the patch levels used. An asset inventory supports many of the other functions required for managing the security of mobile devices.

Screening apps: Whitelisting/blacklisting

System administrators can easily control applications installed on workstations and company laptops by limiting administrator privileges. Achieving comparable levels of control with mobile devices is more challenging. Different platforms offer varying features and functionality, so look for an MDM system that provides a common set of management features for all the platforms you support. One of those common features should be the ability to limit apps used on managed mobile devices.

Whitelisting allows you to list the set of acceptable apps for mobile devices. Some MDM systems include app stores that allow you to host a repository of appropriate apps for your users. MAM is also a separate software category; if your MDM platform does not provide an app store, you can get that functionality from another application.

Blacklisting allows you to limit the use of unapproved applications. This is useful when you want to specifically identify an application that should not be on a mobile device accessing your corporate network, such as those that collect personal or corporate information unrelated to the app's function.

Did you know? Whitelisting allows you to choose the acceptable applications for mobile devices, while blacklisting limits the use of unapproved applications. You can also filter web content.

Keeping data confidential: Encryption 

One of the advantages of tablets and even smartphones is the ability to maintain copies of and read documents away from the office. Office productivity apps can provide much of the functionality of desktop word processors and spreadsheets, creating even more incentive to download copies of corporate information to mobile devices. The obvious security drawback is that mobile devices can be lost or stolen and therefore potentially leak confidential information.

However, MDM systems can allow you to define an encryption policy for data stored on mobile devices. This should include strong encryption and key management. Keep in mind that data should be encrypted during transmission ("data in motion") and when stored on the device ("data at rest"). Be sure to test your essential apps with device encryption. Data must be decrypted before it can be programmatically manipulated or viewed. Encrypting a device could disrupt some app functionality. [Learn more about VPN encryption and cloud encryption.] 

Locking down devices: Controlling device configurations 

Mobile devices are feature-rich with Bluetooth connectivity, location tracking, Wi-Fi network access and other functions. These can all be useful in many situations, but for security-conscious IT professionals, they can seem more like vulnerabilities than features. MDM systems should allow for remote control over configurations, up to and including remotely wiping a lost or stolen device.

Enforcing rules: Policy management 

A sound mobile device management strategy should include policies that describe the configuration and operational requirements imposed on employees' mobile devices. These policies can cover a broad range of device controls, such as the use of encryption, the need for device passwords, and the ability to disable Bluetooth, Wi-Fi and location services. Since many organizations support multiple mobile device platforms, the policy enforcement mechanism should function across multiple systems.

MDM solutions can help mitigate security risks related to the use of tablets and smartphones in your enterprise. Look for support for asset management, app management, encryption and policy enforcement to help protect your information assets.

BYOD policies have been a money-saver for companies that require employees to be mobile. Understanding BYOD programs and their impacts on an existing organization and its infrastructure is critical to the adoption of employee-owned devices that allow a business to make the best use of cloud computers, smartphones, superphones and tablets.  

According to Global Industry Analysts Inc., market forecasts expect the BYOD and enterprise mobility market to reach $157 billion by 2026. In 2022, experts estimate the market will be $26 billion. This large increase is due to a rise in remote work. More than 85 percent of companies adopted BYOD policies less than one year into the COVID-19 pandemic, according to Bitglass.

Implementing a BYOD program raises questions about long-term vendor plans, maintenance and procurement, application development, and data ownership. However, security concerns about BYOD often do not receive enough attention, potentially setting the stage for a catastrophic exposure of sensitive data.

Here are some of the best practices when it comes to BYOD programs and security concerns.

• Policy review: Existing security policies may need tweaking, but there should be a clear path toward applying current policies to personal mobile apps and devices as well.  
  
  
• Realistic expectations: Using a mobile device privately is very different from using a mobile device within a company. Employees using their own technology will have to compromise and accept that your organization's security takes precedence. 
  
  
• Platform support: The mobile platform environment is extremely fragmented, and there is no reason to believe this will change anytime soon. Remember that certain devices outside of Apple's iPhone/iPad may support different features, which requires your organization to maintain a supported devices list. 
  
  
• Application policy: An application policy can be based on blacklisting or whitelisting software in combination with using containers to run third-party software. There needs to be clarity regarding which software is permitted and which is not. Setting an application policy can consume a massive amount of resources, but it will stand at the center of your security policy. Only apps that provide auditing, reporting and centralized management should be allowed. 
  
  
• Evaluation of MDM software: MDM software can solve many of your security headaches, but it will require time to be evaluated properly. Think of MDM software as the skeleton structure of your BYOD program, with a basic set of secure applications you do not have to worry about, including email and remote device access, as well as a structure to enforce internet data traffic policies.
    
• Mandatory PIN and encryption: Consider the mandatory use of PINs as the first security layer on a device. Similarly, all data stored on the device should be encrypted by default.  
  
  
• Ongoing education and training: All people providing and using their own devices are, by default, risk factors. Consistent education addresses unnecessary risks and provides the knowledge necessary to take part in a BYOD program responsibly. Accidental data loss remains one of the main reasons data is put at risk. Education and training are effective ways to mitigate that risk. [Related article: What Is Data Loss Prevention?]

Your BYOD policy will change and evolve as you create and implement the program. Consider the support of your business's legal team or even outside counsel, as BYOD usage has legal implications. Employees with access to a BYOD program should agree to its terms of use.

Bottom Line: Best practices for secure BYOD programs include policy reviews, encryption, ongoing education and training, and realistic expectations.

What can an MDM system do?

MDM systems ensure data stays safe within mobile devices used across companies. An MDM solution can perform device tracking to monitor mobile devices in real time and determine how the device uses company information. MDM systems also provide application security capabilities with settings to determine whether app data can be saved, copied or sent to another device. 

Why do I need an MDM system?

As more employees bring their work with them and some even transition to permanent remote setups, it's vital to keep your company data safe. MDM platforms provide companies with the assurance their data has a decreased risk of being stolen, hacked or lost in the shuffle of mobile technological advancements.

What should I look for in an MDM system?

An ideal MDM system allows your IT department to easily add and remove additional devices while ensuring they can perform within the network. Additionally, look for an MDM system compatible with multiple service providers – as well as the common mobile applications and platforms present in your business's toolbox. Ensure any MDM software can support both company and personal devices.

How do I set up an MDM system?

Setting up an MDM system will depend on the service you choose. However, most MDM systems require mobile devices to enroll in the program. Sometimes technology automates enrollment, while other times mobile device users will need to consent to the enrollment. Apple's MDM program allows users to opt out at any time, emphasizing transparency and communication with employees. 

How can I make my MDM system better?

There are a few ways to enhance your MDM system.

• Implement an enterprise-level app store, and manage the applications users have access to. 
• Understand the capabilities and limitations of an MDM system before building a strategic game plan. 
• Ensure your IT department's security and business operations strategies align.
• Lock and wipe devices that are no longer available to the company to avoid losing any information.