Denys Rudyi - Fotolia

Tighten app control and manage identities with EMM

EMM may be the key to balancing personal privacy and business control. Discover important elements of a BYOD policy and new ways to control apps.

A mobile device strategy that only focuses on the device, app control and data is not enough anymore. It leaves out one essential variable: the user.

Mobility managers have been in search of a strategy that can manage and secure all these factors while still balancing users’ personal privacy with control over business processes on mobile devices.

Enterprise mobility management (EMM) may just be the answer they’re looking for. It incorporates key aspects of BYOD policies and features new levels of application control. Once you’ve understood the benefits behind mobile device management (MDM), mobile application management (MAM) and mobile information management (MIM), it’s time to look at EMM for a more holistic mobile management approach.

Why EMM?

EMM is the latest stage in the evolution of management practices. EMM may provide the best opportunity to find that balance between personal privacy and business control because it encompasses much of the work performed by MDM, MAM and MIM systems.

One of the most important aspects of EMM is its ability to manage identities. None of the other types of mobility software focus on the user, just the device, applications and data. Nonetheless, managing identities is an essential and fundamental aspect of EMM.

Identity management enables more streamlined controls through policies applied to groups and roles. IT should be able to use directory information about an employee (such as his assigned department) to determine policies (e.g., strict access controls for executives and finance department employees but less restrictive access for facilities management and sales employees).

EMM also incorporates policies and procedures to implement security best practices and comply with industry and government regulations.

Elements of BYOD policies

Software developers would not start a development project without some understanding of the goals. Similarly, security professionals and systems administrators need to consider the overall goals of a mobility program. It starts with policies that define the range of acceptable and unacceptable uses of devices and data and establishes app control.

BYOD policies can be broadly categorized by the facet of mobility they restrict: devices, applications, data or users.

Mobile device policies tend to parallel the options provided by MDM systems. These typically include features such as:

  • Requiring password locks after periods of inactivity;
  • Encrypting business data persistently stored on a device;
  • Detecting devices that have compromised security (through jailbreaking) and preventing access to data and network services;
  • Restricting hardware features, such as Bluetooth access or cameras; and
  • Blocking some data transmissions, such as sending diagnostic data to software development vendors or allowing data transfers to the cloud.

App control policies define several aspects of app use, including:

  • Specifying what applications are allowed;
  • Wrapping requirements on apps not considered sufficiently secure;
  • Restricting application operations, such as cutting and pasting; and
  • Updating and patching requirements.

Data-oriented policies provide requirements for MIM-focused tools, applications and procedures and include the following:

  • Specifying encryption requirements for data in motion and at rest;
  • Defining minimum encryption strength, including acceptable encryption algorithms and key lengths; and
  • Referencing data classification schemes that define categories of enterprise data and levels of controls around each. For example, data may be categorized as confidential, sensitive or public. Each of the categories should have appropriate rules for how data in that category may be used and distributed.

Companies should have policies that make the requirements clear for employees using personal devices. These can include expectations for protecting devices from loss or theft, updating operating systems and apps and unregistering devices when they're no longer used. BYOD policies should also require users to inform IT if a device is lost or stolen.

New ways to improve app control

Changes in how we work with mobile devices are presenting new ways to control applications beyond MAM. For example, starting in early 2015, Microsoft plans to add MDM features to Office 365 that will work with iOS and Android devices. The new features will allow administrators to:

  • Provide access to Office 365 data only to devices that are centrally managed. That means no synchronizing data with unmanaged devices.
  • Allow for application-specific pin locking.
  • Detect jailbreaks.
  • Manage devices and policies through the Office 365 management portal.

These features are built into the Office 365 service, so there is no need to use special, hardened programs that lack some features of popular productivity and collaboration apps. People who have used limited-function, hardened versions of the Office suite will especially welcome the new features.

In the final article in this series, we will dive into the BYOD lifecycle in the broader IT environment.

Next Steps

Five keys to effective enterprise mobility management

Refresh your knowledge of BYOD policies

Balance user needs and mobile security

Establish security in mobile management

Dig Deeper on Unified endpoint management