Redefining device management: Why reports of MDM’s death are greatly exaggerated

By Tim Williams, Director of Product Management at Absolute Software

It’s become fashionable in some circles to suggest that Mobile Device Management (MDM) is dead, but nothing could be further from the truth. While MDM is still very much in its infancy, its boundaries continue to expand. It’s no wonder people (even the experts) are confused.

It’s hard to believe, but only ten years ago built-in Wi-Fi was just an option on laptops. And although laptops definitely changed the endpoint management landscape, companies were still able to maintain the typical “top-down lockdown” approach via client management software, VPNs and restricted admin rights. BlackBerry offered the same fenced-in, cookie-cutter approach for managing smartphones.

Although the iPhone entered the market in 2007 to great fanfare, it was the iPad in early 2010 that forever kicked in the doors to a well-managed network. The iPad was a favourite of senior management who had no qualms about jumping the queue in IT to get their latest toy supported. This led to the Apple MDM API and a trickle-down effect that quickly became a deluge of bring-your-own-device (BYOD) users.

Suddenly, the “top-down lockdown” approach wasn’t possible since the devices were no longer owned by the company, and limiting what type of device an employee could use was also off the table. That ship sailed the day the CEO brought in his first iPad.

The struggle to define best practices for MDM and client management continues to this day.

But it’s important to remember that we’re not redefining devices – let Apple, Samsung, and Microsoft do that. All we need to worry about is how these devices will be managed.

BYOD, CYOD, and COPE – does it matter?

There really are three drivers to the new management landscape:

1) The typical user relies on more than one device and for the foreseeable future, one of these devices will be a computer. This means that MDM cannot replace traditional client management technology. Instead it must complement and coordinate with it. Ideally it will be an integrated part of the same infrastructure. This perspective is supported by leading industry analysts who agree (in a rare moment of consensus) that separate management frameworks for different form factors is unsustainable in the long run. Ultimately, the practices and tools for client and mobile device management must converge.

2) As the price of the hardware has come down, the value (and portability) of corporate data has gone up. This has introduced entirely new risks or emphasised existing hazards. After all, companies that allow Outlook Web Access from employee-owned computers are facing no greater risk when they provision email to employee-owned smartphones. But the risks are real and they’ve become one of the biggest considerations when it comes to device management.

3) It’s not only about the device…it’s about the user getting what they need when they need it. As ownership has shifted to the end user, it’s become increasingly clear that it doesn’t really matter if they are using a laptop, tablet or smartphone. They just want to have their stuff. Users want to be productive on the devices they’ve chosen, regardless of operating system or form factor. And if you don’t help them, they will help themselves. This is a problem for the top-down lockdown approach because the more troublesome the restrictions, the more likely the user will be to circumvent them – not maliciously, but simply in order to get the apps and data (the stuff) they need to be productive.

Add this up and it points to a new management paradigm that is user-centric, not user-restrictive…an approach that focuses less on the device and more on security for corporate data and apps. It’s not about BYOD, CYOD, COPE, or any other acronym. In the end, it doesn’t really matter who owns the device – instead IT should focus on who is using it and how. A policy-driven, user-centric framework will adapt easily to this approach.

M (alphabet soup) M

There is heavy competition amongst software vendors to win the battle of the acronym, with Mobile Device Management (MDM), Mobile Content Management (MCM), Mobile Application Management (MAM), and more. So what do these mean and which one is the priority?

It turns out that most M*M technologies are really just component parts of comprehensive MDM; they do not exist outside of the MDM.

The good news is that modern mobile operating systems are getting better at supporting these functions. The Apple Volume Purchase Program (VPP), per-app VPN, and enhanced data controls make it easier for enterprises to manage content, apps, and access – while various Android vendors continue to differentiate their devices with their own, similar enhancements. While device standardisation may be difficult, it’s not impossible – although it will impose some “homework” duties on IT to understand what is possible.

A conflict of visions

It would be misleading to suggest that “top-down lockdown” has disappeared. It remains the best approach to management and security for many organizations, because the best approach can only be determined by your specific requirements for security, regulatory compliance, and the business.

Fortunately, many highly secure options are available. Persistent endpoint security provides the ability to track and secure all the devices in a deployment. Laptops, tablets, and smartphones can be remotely managed and secured to ensure—and most importantly prove—that endpoint IT compliance processes are properly implemented and enforced.

Samsung is among the market leaders, beginning with the extensive Samsung SAFE management API and continuing with Samsung KNOX, a containerisation technology built into their version of the Android operating system. This provides a high security, high control approach to mobility. The US Department of Defence, which clearly has high security requirements, has approved the use of Samsung KNOX for their devices.

However, as with the base operating systems, KNOX is best managed using the same user-centric, policy-driven practices made necessary by the free-for-all that is BYOD. In the end, “top-down lockdown” must be one of many options implemented to support the mix of devices and users within most organisations.

The bottom line

Reports of the death of MDM are greatly exaggerated. Instead, we’re shifting to a new understanding of endpoint management; a policy-driven, user-centric framework that accounts for data, apps and security across multiple operating systems, form factors, and owners. in hearing industry leaders discuss subjects like this and sharing their use-cases? Attend the co-located IoT Tech Expo, Blockchain Expo, AI & Big Data Expo and Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam and explore the future of enterprise technology.

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.

25 Aug 2014, 5:46 p.m.

You mention per-app VPN; what I find curious is that I don't hear more about the fact that most BYOD implementations and MDM solutions generally assume one person, one employer who will basically control the "second half" of the device - i.e. put a container on "the corporate side". But in this age of decreased corporate loyalty and increased contract work - as well as need for multiple data controls - when will we start hearing about multiple containers per device (whatever the "container" may mean)? I suppose we are walking before we run, but I can envision someone on multiple company boards, or someone with multiple clients, as examples, needing to access several containers - implying several, distinct rulesets per access method, on a single device.
Interesting to know if any MDM vendors are yet thinking this way.


9 Sep 2014, 5:21 p.m.

You raise some interesting points. I think you're right that most MDM vendors have the view of a single "manager" (usually the employer.) Device and OS vendors generally share this view and so make it possible to only have a single manager at a time on a given device. For the special use case of a contractor, the provisioning requirements will usually be much simpler than for an employee; e.g. email is most likely not required and access to needed resources onsite can typically be added and removed fairly easily. Within current limits of the devices on the market, this still seems to be the simplest approach. But I like the way you are thinking. Thanks for the comment.