It's a big convenience for employees to be able to access the company network from their own mobile devices. At the same time, letting outside devices onto the network is risky. An employee's smartphone might have malware on it, or someone might steal it and retrieve confidential data from it.
Many businesses have a BYOD (bring your own device) policy which puts conditions on mobile use. Getting people to comply is another matter. Mobile device management (MDM) software solves this problem by allowing only approved devices onto the network.
Mobile device risks
Infected mobile devices are a serious risk on a company network. The infection rate has been growing rapidly. Many people are careless about their security practices. Older devices may not be getting security updates any more. Malware on phones may try to steal confidential data or infect other devices on the network.
If devices don't use encryption, they put any company data on them at risk. A stolen phone could hold confidential data or trade secrets that get into an identity thief's hands. If the company is found negligent, it could face lawsuits or fines.
Policies aren't enough
A BYOD policy outlines what employees are allowed to do with mobile devices. It should require people to lock and encrypt their devices and to have security software on them. A review of each device before it's allowed on the network should be mandatory.
Unfortunately, it's easy to get around policies. If all that's necessary is the Wi-Fi password, some people will use whatever device they have, whether it's approved or not. It's difficult to catch them, and the damage may be done by the time anyone in IT notices.
MDM automates BYOD policy
What's needed is software that allows only approved devices and access methods and can shut misbehaving phones out. That's what MDM is about. Employees with approved devices must install an MDM client on their phones, which controls communication with the network. The software can either be installed on the business's premises or run as a cloud service. On-premises software requires more work to manage, but it allows more control.
Devices under MDM management identify themselves using public-key authentication before they're allowed to connect. They typically store company data in a separate area from personal data. It's protected by encryption.
Some people "jailbreak" or "root" their device in order to do things which the vendor doesn't allow. Doing this greatly increases its vulnerability, and MDM software will detect this and ban the device from the network.
Other benefits of MDM
In addition to keeping out unsafe devices, MDM provides several other advantages. It can:
Enforce password policies
Log device usage
Update software automatically
Wipe lost or stolen devices
However, MDM isn't set-and-forget software. The management needs to keep the inventory of authorized devices up to date, removing employees when they're no longer working there. Policies need to be tailored to the business's needs, striking the right balance between security and usability. Some employees either won't have qualifying devices or don't want company software on them, so it may be necessary to issue company devices to them.
Employees will typically access business servers through a Wi-Fi access point or a VPN. MDM works best when it's integrated with other network security measures. It also needs to work well with the server software which employees need to access. When the parts of the network fit smoothly together, security doesn't get in the way of doing work.
Allowing unrestricted mobile access to a business network puts it at serious risk. A BYOD policy helps, but without automatic enforcement, it doesn't stop mistakes and shortcuts. MDM is the only effective way to let employees use personal mobile devices without excessive risk.
Contact us at White Mountain IT for expert help in managing your network.