Get started Bring yourself up to speed with our introductory content.

Six questions to ask before buying enterprise MDM products

Mobile device management can be a crucial part of enterprise security. Expert Matt Pascucci presents the key questions to ask when investigating MDM products.

As the mobile market continues to explode, it's become increasingly important that organizations deploy mobile device management (MDM) to more effectively manage smartphones and tablets, as well as better protect those mobile devices from data loss and malicious use. Today, it's really not a matter of if mobile device security should be deployed -- it's more a matter of when and how quickly.

It's imperative that businesses take the time to make an educated decision regarding which MDM platforms are right for their mobile management and security goals, however. The majority of MDM products perform very similar functions, but it is how they do so that must be closely reviewed and compared. Before starting to compare and contrast MDM products, organizations should establish a set of organizationally specific criteria to make these comparisons. This will help determine which MDM product(s) will perform up to the standards required for their network and mobile device profiles.

To establish these criteria, enterprises should ask themselves the questions outlined in this article. The answers will lead them toward building a personalized feature checklist that can guide them in determining which mobile device management products best fulfill their particular smartphone/tablet deployment and usage characteristics.

MDM: Is BYOD a consideration?

Protecting company data on personal mobile devices can be challenging. Bring your own device (BYOD) is something that needs to be reviewed in detail before making a decision on which MDM vendor to go with.

Will the organization allow end users to use personal smartphones and tablets for business? If so, will users have the potential to store company data on their mobile devices while they're being protected and managed by an MDM product?

When looking into MDM to use in a BYOD environment, organizations should verify that vendors have streamlined self-service options and provide organizations with the ability to protect company data separately from personal information. A self-service model allows businesses to quickly on board users into the MDM product for quicker turnaround in getting mobile devices protected with the appropriate security policies. This can be done via policy enforcement -- by pushing software changes to the phone with company security options integrated into it -- or by using containerization, which allows organizations to secure all company data (and user access to that data) from within a secured app on the mobile device.

Organizations should carefully review these capabilities (self-service options and data protection) up front with each MDM product under consideration for a BYOD environment.

MDM: On-premises or in the cloud?

Many IT security applications are going the software as a service (SaaS) route these days, and MDM is no different. Before making a decision on whether to deploy on-premises or cloud-based MDM, it is important to understand the difference between supporting and managing the two mobile management and security methods.

Will IT have the technical know-how, time and manpower to manage an MDM system on-site (patching, building the infrastructure, managing the uptime of the environment and so on)? Or will it benefit from eliminating these daily support factors by turning to an MDM product run out of the cloud. Deploying a cloud-based MDM system often means greater flexibility for companies (some products even allow them to set up test environments to train with and verify settings before pushing those to production and out into the cloud).

The biggest decision to make is the type of MDM product to install. Will it be a containerized system or a containerless MDM?

These cloud-based MDM products are SaaS implementations that allow administrators to no longer mange physical appliances or have the need to make firewall changes to allow access back into their networks. They are hosted on vendor servers, and often offer organizations the flexibility to have a separate install of the MDM product available for administrators to train on. Businesses could think of this as a quality assurance version of the MDM system that administrators can play with before making changes to the production version that's hosting live user accounts.

With cloud-based MDM, organizations need to weigh the risks of putting company data into an environment they don't have complete control over. For some enterprises, these risks (of having data hosted outside their network, not being able to control the uptime of applications, reliance on a third party for data security and so on) and desire for control do not outweigh the benefits (requiring fewer resources to manage an MDM, no longer patching or maintaining MDM hardware and software, the ability to have someone else secure company data, among others) of managing and securing mobile devices from the cloud.

Those considering cloud-based MDM should be sure to perform due diligence on the cloud provider to gauge how it secures customer data before moving forward. It is ultimately an organization's data that will be stored in the cloud, so it should treat the security of this data the same as it would if it was stored within its physical network. In addition, verify that segmentation, vulnerability management and privacy are followed to corporate standards by the cloud provider.

A good place to start is by utilizing the Consensus Assessments Initiative Questionnaire (CAIQ) by the Cloud Security Alliance to dig deeper into each vendor's cloud security profile. The CAIQ is a survey designed to help cloud consumers and auditors evaluate the security capabilities of cloud providers.

What type of apps can integrate into the MDM?

Businesses are employing apps on mobile devices to enable end users to work from anywhere nowadays. This ability to let users run CRM apps, custom apps built internally, or just about any app organizations would like employees to use, is an important consideration when selecting an MDM product.

The MDM products being considered by an enterprise should allow IT to manage, integrate and push policy toward all the mobile apps the company supports. For example, if a business is using a CRM application that all of its sales team needs to access, it should be able to whitelist this app and push it down to the users mobile device. This allows for more control over the device and version of the application being used by employees.

Certain MDM vendors, meanwhile, partner with app vendors to allow for greater flexibility and security of their apps when used with their particular MDM product. These apps are tailored toward the MDM to limit risk, or allow only certain versions of the app to be installed on mobile devices.

There are also certain apps that organizations wouldn't want installed. The MDM of choice should be able to report on all apps across a company's mobile device base to create an inventory of what's installed and if there are unapproved apps loaded that are against written policy. There should also be the option to lock down what can be installed on mobile devices and give the administrators the option to perform whitelisting on an MDM that can limit the app installs to only approved software.

The mobile app is the reason smartphones and tablets have evolved so rapidly into essential tools for business over the last few years. The integration of business apps into MDM assists with provisioning of these apps/business tools and allows for faster and -- even more importantly -- secure deployment and support.

Will MDM agents be containerless or containerized?

It is important to know whether a mobile management and security product that is under consideration is based on the ideology of containerization, or if it uses the containerless philosophy.

Containerization installs all MDM data within a dedicated agent container on mobile devices. This means any company-owned data is stored securely within this app without fear of leakage or theft. Nothing is able to enter the container (or be removed from it) while it is on the mobile device. Containerless, on the other hand, allows for a more native experience to end users because they don't have to adhere toward using the container app to perform all job activities (i.e., email, file storage). These types of MDM products allow employees to use apps already installed on their mobile devices, for example, whereas those based on containerization only lets them use apps that are within a container for business.

There are pros and cons to both sides, so before looking at MDM vendors an organization should understand which school of thought, containerization or containerless, it subscribes to first.

With containerization, since all company data and applications are held in an app that's walled off from the rest of the mobile system and can be managed at the drop of a hat, IT can be confident that nothing related to a company is left lingering once it removes this app from a mobile device. By contrast, containerless MDM's maintain the native feel of mobile devices, which is a benefit to end users, but also makes it more difficult for security teams to manage -- as all company data and apps aren't isolated (or walled off) from personal data and apps, as with containerized MDM.

Organizations that prefer to offer end users a more seamless mobile device experience should consider containerless MDM first. Just be certain that the MDM products under consideration provide IT with the ability to confidently monitor and remove company data and applications when needed. If an MDM product can't easily let admins wipe all corporate data from a system, there's a possibility that sensitive information will make its way out of employee (and thereby company) hands. This needs to be seriously considered when using containerless MDM.

What MDM profile options are available?

Besides the functionality questions described above, profile options is one of the most important areas to focus on when reviewing potential MDM candidates. It is here that companies will review security capabilities to determine if MDM products have all the features required for securing not only company data, but also the mobile device itself.

A few of these MDM security features to look for are the ability to: push passwords/PINs, let admins remote wipe mobile devices, create VPN tunnels back into a secure network for data and application use, enable policies to detect rooted and jailbroken systems, verify encryption on mobile devices, use certificates for authentication, whitelist/blacklist the installation of apps, perform GPS reviews of mobile device locations (this can have privacy implications, but could be a use case organizations may want to review), limit features on mobile devices (disabling cameras, memory expansion and so on) and more.

An organization's policy of what security features are required, or that could be enabled, should to be written out before entering into conversations with MDM vendors. Knowing how locked down an enterprise wants mobile devices to be will assist it with asking the proper questions when procuring a mobile management and security product.

How is the MDM product priced?

MDM products are priced out in a few different ways today. So be sure to have all budgeting options reviewed before making a purchase. For instance, first determine if the MDM system desired is going to be based in the cloud or on-premises, as these types of MDM deployments will affect the organization's IT budget in different ways. Cloud-based MDM will be an operational expenditure (Opex), meaning that this would come from the budget that allows for licensing and operation improvements to the business, while an on-premises MDM deployment will mostly be a capital expenditure (Capex), meaning it will be seen as a fixed asset (or something that will be used as improvement to the business).

The funds for an MDM product need to be procured from the appropriate budget (OpeEx or CapEx) before a decision is made as to which type of MDM (cloud or on-premises) should be installed. It may be cheaper to go cloud MDM, for example, but the OpEx budget may not be there to support that type of deployment. As a result, this could force an organization's hand toward an on-premises product.

Also, in terms of user licensing, there are pricing models where vendors license MDM systems either by device or by user. Depending on the organization, it may be cheaper to go with a user-based model (where the organization pays for one user account and puts it on as many devices as needed) or the device-based model (where a vendor charges based off every system that its software is installed on).

There are also times organizations can pay via a hybrid model (using user and device licensing) to help them get the most for their money. As an example, it would be more straightforward to purchase a device-licensed MDM product if users are going to be issued devices via a company that controls what the employees use. This is compared to the user option, where organizations let end users install a license on multiple devices, not just the one that IT may have issued to them. There's also a hybrid licensing method that can be used to allow organizations to use device licensing for those using one device issued by the company, and user-based licensing for those (like executives) that want multiple devices at their disposal.


There are many factors to consider when purchasing an MDM product for securing and managing mobile devices. The questions outlined in this article are designed to get readers thinking about their organization's individual MDM needs before starting to evaluate specific MDM vendors.

The biggest decision to make is the type of MDM to install. Will it be a containerized system or a containerless MDM? After deciding which way to go regarding this approach, administrators should decide what security options they want in an MDM product.

We reviewed some of the major selections above (remote wipe, password lockdown, app whitelist, among others), but a thorough proof-of-concept should be run to verify the product is providing the intended security it is advertising within an organization's particular IT environment. This is important because many times there are features, such certificate management, that need to be tested within the current production environment before an organization can know for sure an MDM product is a good fit.

Once this is completed, a review of where the MDM will be installed and managed needs to be looked at. Will it be in the cloud, or will it be brought in-house to be managed? Does the organization have the resources to manage the system in-house, or does it trust the application being installed outside its network (in the case of cloud-based MDM)?

These decisions will vary slightly by the size of the company. Many times a smaller company will choose the cloud with a single device license because it's easier to manage, whereas a medium to large company may want an MDM that's container-based with user licensing that is installed in-house because it's worried about the loss of data across multiple user devices.

Next Steps

Learn the defense measures against mobile keystroke logging

Assessing the benefits and the risks of going mobile

This was last published in May 2015

Dig Deeper on Mobile security threats and prevention



Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

Does your organization use a containerized or containerless MDM system?