As explained in some of our other blogs, Mobile Device Management (MDM) and Virtual Mobile Infrastructure (VMI) are two common approaches for empowering remote workers with the same abilities as those who remain in the office. They both have their benefits and drawbacks, which we’ll explore here.
First we’ll look at the productivity and empowerment aspects, then we’ll delve into legal and security issues, which are intertwined and always prominent issues for business telecommunications.
What is Mobile Device Management?
Before we start discussing the security and business components of these two technologies, let’s talk about what exactly they are.
MDM generally consists of software that allows a company to install its own productivity and business applications onto a user’s device, which is most often a smartphone. The device will contain both personal and work-related data and applications, but the latter are ringfenced and protected so confidential data does not simply leak to the personal side.
Corporate data can be accessed from, downloaded to, and manipulated on the device, and any modified versions of the data is uploaded to company servers as permanent updates.
What is Virtual Mobile Infrastructure?
VMI also enables workers to access and manipulate corporate data on their own devices, but the data is processed remotely on company servers, while user devices receive solely encrypted stream of pixels of that data. From the user’s perspective, VMI is simply an image viewer and I/O application connected to company servers, somewhat like the old terminal-mainframe relationship. The mainframe stored and processed everything, while the terminal was simply an interface. If someone were to steal a device, they would not be able to get any corporate information. See my article that further explains the VMI concept for more details.
Raising Productivity and Empowering the Road Warrior
Now that we have the basic difference fleshed out, let’s look at how those two manifestations can change productivity.
It is clear that mobile-enabling schemes, particularly BYOD programs that align well with MDM and VMI, raise productivity overall. Intuitively, they enhance the flow of data between company servers and the employee. Today, data is the lifeblood of business, and cutting it off immediately raises issues for workers outside the office.
The most powerful MDM programs can provide the out-of-office worker all the capabilities of a worker in the office, albeit on a smaller smartphone screen (though laptops are eligible platforms for MDM software, too). The bottleneck here is processing power: while smartphone processing and battery power have grown considerably over the last few years, they are still unable to match the power of a server rack sitting in a server room. Batteries can only hold so much energy, and the compact dimensions of smartphones restrict heat exchange and the number of processors available.
With its all-remote processing and data storage, VMI easily trumps MDM whenever remote employees need high levels of computing power, storage capacity, or time to perform their work. The fact that processing takes place remotely also implies less battery is consumed on the employee device while processing occurs.
Moreover, in high-volatility environments, downloading data to employee devices, as happens in most MDM situations, can lead to stale data and uninformed decisions. VMI always retrieves the latest data directly from company servers and refreshes for every action the user takes.
Unfortunately, therein lies the bottleneck of VMI. While MDM’s main drawback for productivity is processing power and storage capacity, VMI’s main drawback is the need for 100% uptime networks, and preferably fast ones at that. Fortunately for VMI, the roll out of 5G and ubiquitous connection points alleviates much of this issue. Additionally, in volatile environments there is a need to constantly update data. This causes network bottleneck for MDM, too. Thus, in high-volatility situations, neither scheme boasts a major advantage over the other.
On a financial performance level, these schemes are certainly cheaper than the company buying thousands of devices and handing them out to individuals. This leads to better operations finance overall, since the company is not required to make large capital expenditures on mobile devices.
Of course, if employee devices do not supply sufficient processing power for the company’s MDM software, the company will need to either purchase devices for those employees, subsidize their purchase, or leave some employees out of the mobile revolution – in a somewhat embarrassing way, too, by telling the abandoned employees that their devices are not up to par. Even low-end, generic smartphones are capable of capturing inputs, rendering images, and connecting to a network, which are the only requisites of VMI.
Conclusion: VMI tends to boast more advantages than MDM for productivity when fresh data, high computing power and storage, and long battery life is necessary. MDM is advantageous in areas with poor network coverage. Neither is especially beneficial in high-volatility situations, though the need for always-on flows of information in volatile situations is more natural to VMI than MDM.
Legal and Privacy Comparison
There are two main issues when it comes to legal questions and privacy concerns for remote workers: who owns what data and who can do what to which devices.
MDM separates out corporate from personal data relatively well – the former is only accessible and manipulable from within the MDM apps. However, because data is stored locally, a lost or stolen device becomes a security threat in the MDM scheme. Therefore, IT departments may demand tracking permissions for devices, violating user privacy. The legal situation becomes even murkier when the IT department shuts down a user’s device remotely, or even wipes all the data from it, including user’s personal data.
VMI also separates out corporate and personal data, because corporate data is only visible from the viewer window. However, because there is only one (visual) image / snapshot at a time, it is unnecessary for companies to remotely wipe devices with VMI software, even if they are lost or stolen. The necessity to track the devices is also eliminated, because the company has little security concerns if the device falls into the wrong hands. The company data never lives on the device, only a snapshot in image form, and therefore the dataset cannot be retrieved from VMI device, even by RAM attacks.
Moreover, MDM schemes may be tempted to use keyloggers while the MDM software runs in order to track user input and pre-empt malicious activity. However, tracking keystrokes on the user device raises major privacy concerns. In contrast, VMI can process keystrokes server-side, not on-device, so only the data transmitted to, and therefore intended for, the server is tracked.
Finally, high security clearance projects may be subject to stringent restrictions on the physical presence of data and on which devices copies may reside. For government and corporate secrecy, MDM may not sufficiently protect data. Since VMI never transfers a full copy of the file to the remote device, there may be exceptions for VMI users.
Of course, it is always advisable to seek guidance from the data provider. Information is ethereal and some organizations may be extremely sensitive to such information leaving a sanctioned physical location, like a specific office building, regardless of whether it is in the form of 1s and 0s in a copy of the file or in the form of photons emanating from a screen image.
Legal and security concerns are closely connected. The security concerns generally center around how data and systems are protected, both from rogue employees and from inadvertent breaches due to malware on employee devices.
Because MDM apps live on the employee’s physical device, they generally store and process information locally. Storing locally immediately opens the data to many attack vectors. However, because MDM apps also process the data locally, they need to have a copy locally. This opens the system to RAM attacks, too, even if the data is never stored on the device’s long-term memory.
VMI’s architecture means that only a snapshot of the data is transferred to the device at any one time. And it is not just a snapshot of data, but a literal image. A successful RAM attack would yield no corporate data, as the pixels pushed on the phone are encrypted.
Storing the data on the local device, even if ringfenced, can pose a threat. It is trivial to copy the state of a physical storage device and take the data offline. Once offline, the thieves have as much time as they need to attempt to crack any encryption. This can be done in a single operation, copying the entire drive. With VMI, the thieves would have to visually inspect every part of the file and repeatedly siphon off the images, unless the entirety of the file is viewable on the screen. A single, sudden attack retains the element of surprise, but a sustained attack can be recognized and neutralized.
Finally, because VMI is basically an image viewer and an I/O interface, it is easier to record user actions. Server-side containerization helps isolate and identify user action further by assigning a unique machine to each user and independently watching each container. It would be prohibitively costly to reference all keystrokes against known attacks on the user’s device, but a container server-side could be quarantined until the session ends then scanned for malicious activity before changes are committed to the databases.
See my article specifically dealing with data security and VMI for a deeper discussion.
It seems VMI is superior to MDM in multiple ways. User devices need less processing power, less battery power, and virtually no storage space but can still command all the power of a high-end datacenter. Implementing VMI also protects user privacy and corporate confidentiality, with a security setup well-suited to traveling employees.
MDM’s greatest advantage manifests in network-sparse areas, since VMI requires a constant connection. High latency has more negative impact on VMI than MDM, too, because employees will quickly become frustrated at the laggy feel of remote data in comparison to local data.