Manage Learn to apply best practices and optimize your operations.

MDM architecture considerations for enterprise identity management

Randall Gamby details which enterprise identity management features to look for when evaluating products as the basis for an MDM architecture.

We're researching mobile device management (MDM) products. What are the easily overlooked identity management features...

to look for in MDM products?

Ask the expert!

Randall Gamby,'s resident expert on identity management and access control, is standing by to answer your toughest enterprise IAM questions. Send in your questions today! (All questions are anonymous.)

Mobile device management (MDM) has become a popular technology with bring-your-own-device (BYOD) policies becoming more common within organizations, taking advantage of the consumerization of computing platforms. Before enabling this access, it’s important that a company put an identity management (IdM) strategy in place, and apply appropriate technologies to ensure data is protected should an end user’s device be misused, lost or stolen.

Enterprise identity management is one component of this strategy, and careful planning is required for a successful MDM architecture. Organizations need to ask the following questions to ensure they allow the proper access:

  • Who will be allowed to use BYOD devices? Functional and organizational roles for who has access to enterprise data must be determined before a BYOD policy can be established. Often this is based on the value or sensitivity of the data. MDM tie-ins into the enterprise lightweight directory access protocol (LDAP) or roles-based directory can make this task easier.
  • What data will be allowed on the BYOD devices? Protected office email may be appropriate for mobile devices, but credit card or patient medical information, due to the stringent regulatory requirements for protection, probably isn’t. If the MDM is tied into the enterprise provisioning system, it can leverage the roles and rules that are used for the provisioning of user accounts.
  • When it comes to protecting the device, what credentials will be used to protect it? Mobile credentials should be of the same type and level of security as any other corporate device. A four-digit PIN is not acceptable. Tying the MDM into the corporate authentication directory, like Active Directory, can leverage existing credentials and even supply single sign-on capabilities.
  • Can the mobile user’s identification be tied to his or her corporate ID? In the case of MDM, in order to capture text or SMS messages, the system needs to have an understanding of the corporate role the person plays. For example, a sales person or agent may make unrealistic statements regarding return on investment or payout of benefits. An enterprise needs to be able to isolate these personnel and ensure proper auditing of the context of their messages is done.

Whichever MDM product is chosen, it’s important it be considered an enterprise infrastructure tool, and only a part of the solution. Considering how other applications and services are tied into the enterprise identity management service can help ensure common services are reused, and more importantly, a consistent level of security be applied across the organization’s applications and mobile community.

This was last published in June 2012

Dig Deeper on Web authentication and access control