Denys Rudyi - Fotolia


Acceptable use policies, MDM help desktop admins wrangle devices

Managing an eclectic collection of devices is challenging, but IT administrators just need to establish policies and find a mobile device management tool to help enforce them.

The first step in establishing meaningful mobile device management is to develop acceptable use policies. Doing so means answering some basic questions and then turning those answers into a formal policy.

For example, can users access network resources from personal devices, or is access limited to corporate-owned endpoints? Another important consideration is whether there should be restrictions on the types of devices that workers are allowed to use. For example, is it a problem if a user connects to the network with a first-generation Apple iPhone, or should IT limit connectivity to devices that run newer operating systems?

Once mobile device policies are in place, the next step is to look for a device management tool to implement those policies. One of the first concerns IT must address is security. Despite the vast differences between today's mobile endpoints, devices share some common ground when it comes to security.

Before IT can apply security policies to a device, the network must recognize it. Most mobile devices cannot be domain-joined, so mobile device management (MDM) tools have device enrollment to register them. This registration process lets the network identify the device and allows IT to manage it.

Many vendors take the enrollment process a step further and offer tools to enable self-service enrollment. This way, organizations that allow users to work from personal devices can shift the enrollment burden from the administrative staff to the end user. Admins can typically enroll a device in a matter of seconds, but no one wants to manually enroll thousands of them. Letting users enroll their own devices gives them the flexibility to add new endpoints whenever they want, and it frees the administrative staff from having to do it manually.

Once a device is enrolled, IT can secure it. Each device management software vendor takes a slightly different approach to device security, but in most cases, the process of securing a device and enrolling it are tightly intertwined. Some device management tools let administrators prevent users from enrolling unauthorized devices. For example, an administrator might block a user from enrolling a particular device if it runs an unsupported or outdated operating system, or if the device is jailbroken.

Enrollment is also the time when IT can ask users to agree to adhere to certain policies. Workers expect to use their own personal devices any way they see fit, but IT staff cannot permit behavior that could compromise the security of network resources, regardless of who owns the device. As such, the device enrollment process typically requires the user to agree to certain terms, such as security and acceptable use policies.

Once the user accepts the terms of the agreement, the enrollment process is complete and the device is secured. Not every device includes the same security settings, but the more common ones tend to be universal. As a result, MDM vendors can provide a standardized interface that works, regardless of device type. The interface configures device-level security settings either through device-specific APIs or industry-standard mechanisms, such as Microsoft Exchange ActiveSync policies.

Delivering software

Another challenge of dealing with device diversity is software distribution. In PC-only environments, application compatibility isn't much of an issue. If each PC has the necessary hardware and operating system, admins can easily push an application to each corporate-owned PC. The same cannot be said for today's multi-platform environments. An administrator cannot push a Windows desktop application to an Apple iOS device and expect it to run. Today, each class of devices has its own unique architecture and operating system, so applications usually only run on a single platform. If a user decides to work from his personal device, his organization must license any software it deploys to that device.

MDM vendors take various approaches to software distribution. Some vendors offer enterprise app stores that IT can preload with corporate-approved applications. If a user wants to install an application on his device, he simply connects to the app store and initiates the download process. The app store checks to see what type of device he has and only offers applications that are compatible with that device.

Organizations must still adhere to licensing rules, but enterprise app stores can facilitate license management. For starters, most organizations only allow enrolled devices to access the enterprise app store; the stores are not usually available for nonemployees. Enterprise app stores can also keep track of licenses. When an administrator adds an application to the store, he specifies the number of licenses that are available. When a user installs the application, the available license count is reduced. When a user uninstalls an application, the available license count goes back up.

Because MDM products can differentiate between an organization's applications and a user's personal applications, such products can cope with the unique challenges that bring-your-own-device environments present. When a user enrolls a personal device, the MDM software keeps track of which apps the organization deployed to the device. If the user eventually decides to de-enroll the device, the MDM software may be able to remove the organization's applications -- and reclaim the licenses -- without disrupting the user's personal apps or data. The actual capabilities and methods used vary from one vendor's product to the next, however.

Next Steps

Improve BYOD with AUPs

How acceptable use policies mitigate email risks

Mobile policies 101: Acceptable use agreements

Dig Deeper on Unified endpoint management