We have explored the importance of setting policies and training users on mobile device security and management; now, we wrap-up with how to enforce these policies, recommended tools, and first steps to mobile device security.
Enforcement is usually assisted through a Mobile Device Management (MDM) tool; typically a software-based application that requires an agent be installed to the mobile device. Once installed, this agent connects back (remotely) to a central console from which an administrator can monitor, manage, and secure the mobile device and also support its user.
MDM features typically include:
- Enforce user security policy:
o Require complex password with frequent changes
o Permit remote access only via SSL or VPN
o Lock-down browser settings
o Enable encryption
- Recover lost or stolen devices:
o Activate alarm (set off an audible alarm on the device)
o Enable track and locate (track and locate the device via GPS)
o Permit remote wipe (complete erasure of the device as a last resort)
- Control mobile device applications:
o Recognize and prevent installation of unauthorized applications
o Permit whitelisting and blacklisting of application
o Restrict or block application stores
- Remotely deploy and configure applications (email, etc.)
- Audit the mobile device for installed software, configuration, and capacity
ComputerWorld has a comprehensive article on the challenges of MDM. View it at
To support our mobile device clients, we use the MDM capabilities built intoKaseya, our Remote Monitoring and Management tool. Other MDM providers include:
While MDM provides a comprehensive tool, it can be costly to procure and support. Many companies utilize a trusted business partner (like Bryley) to provide MDM tooling, monitoring, and support for their mobile devices on an ongoing basis with pricing that ranges from $15 (in quantity) to $75 per device per month.
Alternatively, Microsoft Exchange 2010 offers many MDM-type features through Exchange ActiveSync (EAS), an included protocol that licenses by end-user or end-device Client Access License (CAL). The Exchange 2010 Standard CAL licenses:
- Password security policies
- Encryption required
- Remote wipe
The Exchange 2010 Enterprise Add-On CAL licenses advanced features including:
- Allow/disallow Internet browser, consumer email, unsigned installation, etc.
- Allow/disallow removable storage, Wi-Fi, Internet sharing, etc.
- Allow/block specific applications
- Per-user journaling
- Integrated archive
Exchange Server Standard 2010 is $709; Standard CALs are $68 each while the Enterprise Add-On CAL is an additional $42 each (based on list prices for business).
Main difference between MDM and EAS: Most MDM tools provide greater control over the mobile device during its lifecycle and can provide control over the device even before email is configured.
Other recommended tools include:
- Anti-malware: AVG Mobilation – From free to $9.99 for Pro version
- Protect and find phone via key-case fob – Kensington Bungee Air at $79.99
First step suggestions
These are our minimum, first-step suggestions:
- Deploy anti-malware software immediately and manage it continuously
- Require password to activate the device with a low auto-lock time
- Update mobile devices through vendor-approved patching
- Enable on-board encryption if handling sensitive data
Visit 10 Steps to Secure Your Mobile Device for detailed recommendations on securing your mobile device.