Sometimes the only way to make progress is to leave something behind.
The proliferation of mobile devices in the enterprise has introduced many new challenges to IT administrators. The sheer number of potential new nodes with network access creates cause for alarm. Couple that with the notion that these devices are out and about in public, and it creates a recipe for many sleepless nights. To alleviate anxiety and mitigate risk, a district should implement mobile-device management strategies and technologies.
Successful MDM implementation calls for a carefully considered mobile-device policy that outlines requisite device security and points the way to the right MDM solution. An MDM platform should be flexible, keep pace with market changes and support organizational requirements rather than forcing a district to conform to its limitations.
Mobility management in any organization rests atop the strong foundation of a mobile-device policy. Intended to protect both employees and employers, the policy should outline expectations, from the procurement of devices to their appropriate use to loss or theft and everything in between. Developing and maintaining a policy may seem tedious; however, it will lay the ground rules for engagement, promote higher user satisfaction and lead to a more even-keeled experience.
A well-written mobile policy should explain what types of devices are covered under its terms. The policy should also state whether a district allows a bring your own device (BYOD) environment or provides district-owned gear. Expense options should be clearly outlined based on supported scenarios, designating how much of the hardware, data, text, roaming, voice and additional services will be covered by the district versus the employee. It also should state carrier preferences and restrictions, if any.
If the organization intends to restrict certain devices or operating systems, spell that out in the policy. The policy should cover who is responsible for updates to the device. It’s also important to clearly restrict jailbroken or rooted phones on the network because of the support issues and risks associated with such devices. A mobile policy also should be very clear about procedures upon an employee’s departure — both voluntary and involuntary, and should outline procedures in the event of loss or theft.
Mobile policies will vary from district to district, but at a minimum, they should cover the above areas. Failure to do so could result in challenging and costly situations. A mobile policy will not only prevent some of these situations, but also will provide the policy requirements that an MDM platform needs to support. Finally, it’s wise from a legal perspective to ask employees to consent to an acceptable-use policy during enrollment of the device as a condition of gaining access to the district network.
There are a few key “must haves” to ensure device and data security. First, local data encryption is a must for mobile devices connecting to the district network. This will block physical access to the data and places limits on what devices are allowed on the network. However, the risks of not implementing encryption far outweigh user inconvenience.
Strong passwords also should be required and should include a minimum of eight characters. Longer passwords are better but not always practical for the average user. Strong passwords contain a mix of upper- and lowercase letters and at least one number and special character (!, @, #, $). Passwords should never contain user names or common words and should be significantly different from previous passwords.
Devices also should be configured to lock automatically after a specified period of inactivity. This should include locking the screen, keypad, voice activation and voicemail. Also consider remotely locking and/or wiping a device after a certain number of failed login attempts or if a device becomes lost. Lock the device first before wiping it, because this will help encourage reports of lost devices if users believe there is hope of finding it.
It’s also important to segment district and personal data on the device, especially if the organization supports BYOD. Besides being a potential legal issue, segmentation greatly simplifies the delineation between district and employee. This allows IT the flexibility to secure, manage and wipe district data and applications without touching personal data such as pictures, e-mail, music and games.
Devices are rapidly evolving. Whether or not the organization decides to implement a BYOD environment or sticks with district-owned devices, it needs to plan for a diverse ecosystem of hardware. Additionally, the lines between tablets, notebooks and smartphones are becoming increasingly blurred. At a minimum, an MDM platform must support a mobile-device policy and enforce basic device security. It also needs to be flexible enough to evolve and manage a wide array of devices, operating systems, malware and organizational changes.
From a security perspective, an MDM platform should allow for easy device configuration. The fewer clicks, the better. The MDM solution should provide the capability to configure encryption, remote lock, authentication and VPN settings. These configurations should be able to be set from a role or policy-based perspective.
An MDM platform should also provide a smooth and intuitive process for bringing mobile devices onboard. This will reduce a great deal of support issues and user frustration. It’s also important to be able to query the entire mobile inventory of apps and devices. The platform also should allow a swift deprovisioning of devices and users, and must also be able to retrieve or wipe district information from an employee’s mobile device and restrict further network access.
An MDM platform needs to provide analysis and alerts. When users near policy limits for security, roaming and usage, a proactive notification should be sent. It is also useful to have the option of reviewing history and logs to identify trends and resolve issues. Organizations should be able to leverage out-of-the-box reports as well as create custom reports.
By taking the time to identify current and future device ecosystems, organizational liability and security requirements, districts should be able to identify possible MDM platform candidates from the currently crowded field.