Whether your company has a current Enterprise Mobility Management (EMM) framework or is in the transition or planning stage, it is now time to understand or update yourself on EMM best practices.
Enterprise Mobility Management best practices include three main components: security, usability, and corporate culture. These components interconnect, so ignoring one aspect adversely impacts the others.
This post outlines the best practices for Enterprise Mobility Management implementation. Since EMM has multiple components, like mobile application management (MAM), mobile device management (MDM), and others, there is a significant overlap.
The application of each practice may differ between components, depending on its importance an implementation at a given organization. For example, the first security-based best practice, encryption, could mean full-device encryption at all times in an organization utilizing an MDM-first scheme. In contrast, the method might mean encryption of the specific app containers in a MAM-focused program. Regardless, all of the best practices apply to the overarching theme of Enterprise Mobility Management.
EMM Security Best Practices
Security is the most straightforward element with a formal set of evaluating criteria. Security sits at the top of the IT department’s priorities, and it often serves as an IT team’s primary focus. It’s important to note that security encompasses more than setting passwords and managing data access.
Any data stored locally on the device must be encrypted, so its content is indecipherable without the corresponding cryptographic key (usually generated by an employee entering a password). Encryption keeps would-be data thieves from snatching devices, cloning their storage, and perusing through their content.
Unfortunately, full-device encryption is not the default setting for many user-owned devices. One approach for company-supplied devices is to turn full-device encryption from the start. For Bring Your Own Device (BYOD) programs, the encryption practice must apply to specific data unless the owner willfully encrypts their entire device. This practice can have merit. However, users must understand the benefit and engage the encryption for users to consider full encryption.
Any data exchanged between the company intranet and external devices must also be encrypted. Fortunately, modern connectivity standards take this practice seriously and establish encrypted tunnels between remote devices as the default setting. If your company is not following fully-encrypted tunneling, strongly consider implementing it. Data breaches are expensive and may considerably damage reputations.
Maintain a Wipe Policy for Local Data
Company-mandated device wipes are controversial. No one wants their boss to hold power to wipe their device remotely. With proper data management on-device, it is possible to implement partial wipes without affecting the user’s data. The company can justify wiping company-only data remotely, particularly if it can guarantee personal data privacy and safety.
With the advent of virtual mobility solutions (VMS), particularly those that containerize a virtual device on a remote server, it is easy to avoid storing local data on the user’s device, eliminating the need to maintain any wipe policy. Naturally, any corporate-owned, server-side container can be wiped from within the organization without the risk of wiping employee-owned data.
Use Context-Based Authentication
Context-based authentication is the first line of defense against unwanted intruders. An example is verifying a device attempting to connect from a new location, such as a previously unused IP address, with two-factor authentication (2FA). The company intranet may also restrict external mobile access by IMEI, a wireless device’s unique identifier, or restrict in-office WiFi access by MAC address. Both can be registered beforehand.
IT teams must strike a balance between overzealous context-based authentication practices and usability, and IT management teams must not overburden users with excessive screenings and obstacles.
Patch Vulnerabilities for All Devices at All Times
Customers have more mobile consumer technology choices now than ever. From Apple to Samsung, Huawei to Sony, there are multiple devices to buy and hack. Luckily iOS and Android operating systems are the most popular in the United States and Europe, but even then, there is a constant flow of new vulnerabilities to patch.
It is vital to use the most current operating systems with the latest security patches. For more MAM-focused approaches, this could entail pushing updates only for the local, corporate-mandated apps. However, that approach does allow potential leaks if the employee device is compromised at the operating system level. Requiring employees to keep devices up-to-date cannot be emphasized enough.
For Enterprise Mobility Management in general, a centralized dashboard allows IT personnel to track which devices are being used by workers and the associated vulnerabilities and patches. Depending on the organization (MAM, MDM, VMI, etc.), these dashboards can range from centralizing information (to implore employees to update their devices) to a fully-automated patching system.
A fully-automated system is implementable through corporate-server-based containers spun on demand by an employee requesting access in the Virtual Mobile Infrastructure solution. Containers are instantly updatable from within, and if one has been running too long without updates, it can forcibly be restarted.
Employees can be clever when it comes to policy adoption and rule-following. This issue can be a particular concern when rules are confusing, may seem archaic or intrusive, or block workflows. Usability is key to keeping employees from managing their own devices, onboarding them improperly and avoiding security and productivity complications.
Troubleshoot Every Device
Being able to troubleshoot every device is not an issue for company-owned device programs, but this is a limited practice today. BYOD is cost-effective and more widely adopted because it allows each employee to centralize to one device. With high smartphone penetration rates around the world, BYOD seems likely to outpace the practice of company-issued devices.
However, BYOD demands IT personnel to be able to troubleshoot user devices, especially as mobile work becomes more critical. A three-day business trip cannot lose even a single day to technology troubleshooting problems. If it does, the backlash against whatever policy or local-device problem caused the loss is almost sure to cause employee pushback.
EMM can avoid these productivity losses by knowing how to troubleshoot the main issues for every device in the ecosystem. Since identical, company-owned devices are usually not feasible or recommended for most companies in most situations, minimizing the number of local apps or its delivery tends to reduce the troubleshooting burden.
Do Not Discount Onboarding
Proper onboarding is one of the easiest ways to prevent common errors and set up devices correctly. This process is an excellent time to ask employees if they have any questions. It is leading them to ask questions at this time benefits both the company and the user because it reinforces security and usability concepts in the employees’ minds.
IT personnel can also leverage the onboarding process to gather information about employee devices, vulnerabilities, and potential hazards through employee cyber behavior. It is important to remind employees that their devices now operate as gateways to corporate information and data. Onboarding can be extremely advantageous to learn the system in a controlled environment before venturing out on remote assignments and possibly requiring hours of remote training or leaking confidential data.
Balance Corporate and Employee Needs
While security is paramount and is the main driver behind much of corporate technology and the associated IT policies, user experience (UX) is also essential. Arcane security policies and procedures may seem difficult to end-users, and too much resistance to previously-enjoyed workflows can quickly mutate into employees cutting corners on secure practices.
Corporate cultural changes affect employee attitudes, and IT’s role and approach, and upper management’s ability to drive EMM transitions.
Establish a Security-Conscious Culture
IT professionals already know the importance of security in computing and data. Much of senior management similarly understands the importance of corporate data security. However, many employees may not understand how their devices could act as an entry point for an attack or why they could be catastrophic. To many people, protecting their data in their own lives often stands secondary to convenience and cheaper services.
By fostering a security-conscious culture, all members of the organization, from the top decision-makers to the rank-and-file, will proactively guard confidential information and habitually defend weaker system points. A periodic workshop or company meeting could highlight recent vulnerabilities, discuss best security practices, and reinforce the sentiment that data itself is valuable and must be protected.
Mobile technology moves quickly, and the threats and weaknesses follow suit. Inflexible policies will eventually bend beyond their breaking points and potentially lead to security leaks and data breaches. They could also lead to lost productivity and employee engagement.
Further, those in the IT department must continuously survey the mobile landscape for changes and trends. Suppose a new tech fad appears among 50% of the workforce. In that case, it cannot be ignored by a company trying to mobilize its workforce using personally-owned devices. An example was the explosion of video conferencing that came with the outbreak of the coronavirus. Very quickly, conferencing-bombing became a significant issue. While this threat was unforeseeable, the shift to video conferencing was not. Corporate IT culture should embrace these shifts and prepare for their challenges.
Your organization may not determine a mobile-first or mobile-only approach as tenable, but refusing to embrace mobility is likely to backfire. Always-on and always-connected work culture, notwithstanding a proper work-life balance, increasingly risks employees connecting to the corporate network while outside the office. This could be email, but “just email” can quickly escalate to “just this one task” and so on, and so on.
If the company has not embraced mobility or is actively impeding its progress, employees might use unmanaged devices to access company data. That scenario rapidly spirals until a breach occurs. At that point, a system shock occurs. Everyone is used to workflows incorporating unregulated mobile elements, and IT will struggle to bring everything under a coherent system. Not dealing with the problems leaves security holes wide open.
The complete mismatch of security and corporate culture is avoidable if companies embrace mobility now. Mobility is hard to argue against at some level, and managing a nascent move is far superior to restructuring entrenched workplace habits. A Virtual Mobility Solution (VMS) is one way to ensure full enterprise data security while empowering end-users with personal devices. Maintain 100% separation of corporate and personal data with a Hypori solution and meet your EMM needs.
These are two informative papers that explain many of the mistakes companies make in implementation and some worthwhile approaches to evaluate.